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Abstract 


When proving the correctness of algorithms in distributed systems, one generally consid- 
ers safety conditions and liveness conditions. The Input/Output (I/O) automaton model 
and its timed version have been used successfully, but have focused on safety conditions 
and on a restricted form of liveness called fairness. In this paper we develop a new I/O 
automaton model, and a new timed I/O automaton model, that permit the verification 
of general liveness properties on the basis of existing verification techniques. Our mod- 
els include a notion of environment-freedom which generalizes the idea of receptiveness of 
other existing formalisms, and enables the use of compositional verification techniques. 
The presentation includes an embedding of the untimed model into the timed model which 
preserves all the interesting attributes of the untimed model. Thus, our models constitute a 
coordinated framework for the description of concurrent and distributed systems satisfying 
general liveness properties. 
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1 Introduction 


The increasing need for reliable software has led the scientific community to develop many 
formalisms for verification. Particularly important are formalisms that can model distributed 
and concurrent systems and those that can model real time systems, i.e., systems that rely 
on time constraints in order to guarantee correct behavior. Formalisms should be able to 
support verification of both safety and liveness properties [AS85]. Roughly speaking, a liveness 
property specifies that certain desirable events will eventually occur, while a safety property 
specifies that undesirable events will never occur. 

In this paper, we present a coordinated framework that permits modeling and verification 
of safety and liveness properties for both timed and untimed systems. The framework con- 
sists of two models, one timed and one untimed, with an embedding of the untimed model 
into the timed model. Both models come equipped with notions of external behavior and 
of implementation, which are based simply on traces. The framework is intended to support 
a variety of verification techniques, including simulation methods, compositional reasoning, 
algebraic methods, and temporal logic methods. 

A successful technique for the verification of safety properties and some special liveness 
properties is based on the simulation method of [AL91a, LV91, LV93a, LV93b, Jon91], applied 
to the Input/Output automaton model of [LT87] and to its generalization to the timed case 
[MMT91]. I/O automata are state machines with a labeled transition relation where the labels, 
also called actions, model communication. A key feature of I/O automata is the explicit 
distinction between their input and output actions, which characterize the events under the 
control of the environment and those under the control of the automaton, respectively. I/O 
automata can handle general safety properties and can also deal with a special kind of liveness, 
called fairness. Fairness captures the intuitive idea that each subcomponent of a composed 
system has fair chances to make progress. The notion of implementation for I/O automata, 
i.e., the way a concrete system is said to implement a more abstract specification, is expressed 
through fair trace inclusion, where a fair trace of an I/O automaton is a sequence of actions 
that can occur whenever the I/O automaton respects its fairness property. I/O automata can 
be composed in parallel, i.e., they can interact together so that they can be viewed as a single 
large system. An important property of I/O automata is that the implementation relation is 
compositional in the sense that it is always safe to replace a subcomponent in a large system 
with one of its implementations. Compositionality is needed for modular design techniques. 

Despite its success, the I/O automaton model is not general enough to handle some recent 
verification work in [SLL93, LLS93]. In particular, [SLL93, LLS93] provide examples where 
fairness is not adequate as a liveness condition. Moreover, the work in [SLL93, LLS93] has 
shown the need for a connection between timed and untimed models to prove that an implemen- 
tation that uses timing constraints correctly implements an untimed specification. The mutual 
exclusion algorithm of Fischer [Fis85, AL91b] is another instance of a timed implementation 
for an untimed specification. 

This motivates a generalization of the I/O automaton model and its timed version to handle 
general liveness properties in such a way that the simulation based proof method still applies. 


A simple and natural generalization is motivated by [AL93], which models a machine as a pair 
(A, L) consisting of an automaton and A and a subset FL of its behaviors satisfying the desired 
liveness property. The implementation notion can then be expressed by live trace inclusion 
just as fair trace inclusion expresses implementation for I/O automata. The use of live trace 
inclusion as the implementation notion is motivated by the fact that the simulation based proof 
method is known to work for implementation notions based on some form of trace inclusion. 
Unfortunately, if £ is not restricted, simple examples show that live trace inclusion is not 
compositional (cf. Examples 3.29 and 3.34). 

In this paper we identify the appropriate restrictions on L, in both the untimed model and 
the timed model, so that live trace inclusion is compositional for the pair (A, L). A pair (A, L) 
satisfying these restrictions on L is called a live [/O automaton in the untimed model and a live 
timed I/O automaton in the timed model. The restrictions on L are given by a property called 
environment-freedom, which captures the intuitive idea that a live (timed) I/O automaton 
must not constrain its environment. The environment-freedom property is defined, using ideas 
from [Dil88], by means of a two-person game between a live (timed) I/O automaton and its 
environment. Specifically, the environment provides arbitrary inputs while the system tries 
to react so that it behaves according to its liveness condition. A live (timed) I/O automaton 
(A, L) has a winning strategy against its environment if A can respond to any environment 
move in such a way that it will always eventually satisfy its liveness condition L. If a live 
(timed) I/O automaton has a winning strategy, then it is said to be environment-free. 

The definitions of the environment-freedom property in the untimed and the timed model 
are closely related. In particular, the environment-freedom property for the timed model 
is a natural extension of the environment-freedom property for the untimed model up to 
some technical details involving the so called Zeno behaviors. The close relation between the 
environment-freedom property in the untimed and the timed model allows the models to be tied 
together, thus permitting the verification of timed implementations of untimed specifications. 
Specifically, the paper presents a patient operator [NS92, VL92] that converts (untimed) live 
I/O automata into live timed I/O automata without timing constraints. The patient operator 
preserves the environment-freedom property and the live trace preorder relation of the untimed 
model. Thus, the patient operator provides the mechanism by which the timed and untimed 
models are unified into a coordinated framework. 

Our models generalize several existing models. The fairness condition of I/O automata 
satisfies the environment-freedom property; thus, live I/O automata are a proper generalization 
of I/O automata. Environment-freedom also implies feasibility as defined in [LS89]. The failure 
free complete trace structures of [Dil88] are also properly generalized by our model. In the 
timed case, our model generalizes [MMT91] and the notion of strong I/O feasibility introduced 
in [VL92]. Finally, in contrast to [AL91b], our timed model does not give either the system or 
the environment control over the passage of time. 

In order to extend the simulation based proof method to our model, we introduce an execu- 
tion correspondence theorem which builds on a similar lemma of [LT87] by extending the result 
to some of the simulation relations studied in [LV93a, LV93b]. The execution correspondence 
theorem says that the existence of a simulation relation between two automata induces a strict 


correspondence between their behaviors. The paper shows how such a correspondence can be 
used to prove live trace inclusion. 

We believe that our coordinated untimed and timed models comprise a good general 
framework for verification of concurrent systems. The models have already been used in 
[SLL93, LLS93] which deal with a non-trivial system, a communication protocol used in the 
Internet, and require all the new expressiveness and simulation tools provided in this paper. 

After some preliminary definitions, given in Section 2, the paper is divided into four main 
sections. Section 3 presents the untimed model, Section 4 presents the timed model, Sec- 
tion 5 embeds the untimed model into the timed model by means of the patient operator, 
and Section 6 extends the simulation method to live (timed) I/O automata. The presentation 
of both the untimed and timed models starts with a general automaton model with liveness 
conditions in the style of [AL91b]; then the I/O distinction is introduced together with the 
environment-freedom property. The presentation of the untimed model also includes several 
examples that motivate the definition of environment-freedom and show that there does not 
seem to be any trivial generalization of our environment-freedom property that still leads to 
the compositionality of the live trace preorder. Once live (timed) I/O automata are defined for 
each model, the paper introduces the corresponding notions of implementation and compares 
our model with other existing models. 


2 Preliminaries 


Notation for Natural Numbers 


Unless otherwise stated, indices like 7, 7, and k as well as the constant N range over the natural 
numbers No. The notation 0 < i < oo, as well as the notation 0 < i < ow, states that ¢ is 
a positive natural number. Similarly, the notation {0,1,...,co} denotes the set of natural 
numbers. 


Sequences 


We use “list” and “sequence” synonymously. The empty sequence is denoted by ¢. A finite se- 
quence J, = €,...€, and a sequence ly = €n41€n4o...can be concatenated. The concatenation, 
written /,; “ls, or sometimes just [,ls, is the sequence €1...€n€n41€n4yo--- 

A sequence J, is a prefix of a sequence /., written 1, < lo, if either /, = ly, or J, is finite and 
there exists a sequence [| such that l, = 1, 71}. 

For any sequence fy and any finite sequence J, with 1, < lz, we denote by /, — 1, the unique 
sequence /; such that ly = 1, ~U). 

For any non-empty sequence | = e,€,€3..., define head(/) to be e,, the first element of J, 
and tail(l) to be the sequence e.¢3..., the rest of I. 


Konig’s Lemma 
The following lemma about digraphs is a generalization of Konig’s Lemma. This generalization 


also appears in [LV93a]. A root in a digraph is a node with no incoming edges. 


Lemma 2.1 (Generalization of Konig’s Lemma) 


Let G be an infinite digraph that satisfies the following properties: 
1. G has finitely many roots. 
2. Each node of G has finite outdegree. 
3. Each node of G is reachable from some root of G. 


Then there is an infinite path in G starting from some root. 


Proof. The usual proof of Kénig’s Lemma [K6n26] extends to this case. a 


3 Untimed Systems 


The discussion of untimed systems is organized as follows. Section 3.1 defines automata. 
Section 3.2 introduces live automata without I/O distinction. Section 3.3 defines safe [/O au- 
tomata by adding an Input/Output distinction to safe automata, and introduces the standard 
parallel composition, action hiding, and action renaming operators found in the literature. 
Section 3.4 introduces environment-freedom, defines live I/O automata, and extends the op- 
erators of Section 3.3. Thus, the presentation separates the issue of liveness from that of I/O 
distinction and environment-freedom. Section 3.5 defines two preorder relations, the safe pre- 
order and the live preorder, and shows in what sense the live preorder can express a notion of 
implementation. Section 3.6 compares our model with existing work. 


3.1 Automata 


The following definition of an automaton is given in the style of [LT87] and essentially describes 
a transition system. 


Definition 3.1 (Automaton) 
An automaton A consists of four components: 
e aset states(A) of states. 
e¢ a nonempty set start(A) C states(A) of start states. 


e an action signature sig(A) = (ezt(A), int(A)) where ext(A) and int(A) are disjoint sets 
of external and internal actions, respectively. Denote by acts(A) the set ext(A)U int(A). 


e a transition relation steps( A) C states(A) x acts(A) x states( A). = 


Thus, an automaton is a state machine with labeled steps. Its action signature describes the 
interface with the environment. It specifies which actions model events that are visible from 
the environment and which ones model internal events. 


An action «a of automaton A is said to be enabled in state s if there exists a state s’ such that 
the step (s,a,s’) is an element of steps(A). 


An execution fragment a of an automaton A is a (finite or infinite) sequence of alternating 
states and actions starting with a state and, if the execution fragment is finite, ending in a 
state, 

O = $941 $1289 °°°, 


where each triplet (s;, 4:41, 5;41) is an element steps(A). Denote by fstate(a) the first state 
of a and, if a is finite, denote by Istate(a) the last state of a. Furthermore, denote by 
frag"(A), frag*(A) and frag(A) the sets of finite, infinite and all execution fragments of A, 
respectively. An execution is an execution fragment whose first state is a start state. Denote 
by exec*(A), exec’(A) and exec( A) the sets of finite, infinite and all execution of A, respectively. 
A state s of A is reachable if there exists a finite execution of A that ends in s. 

A finite execution fragment a, = 894,5,---a,5, of A and an execution fragment ay = 
Sn Gn41$8n41°°: Of A can be concatenated. In this case the concatenation, written a 7 a2, is the 
execution fragment $9151 +++ @nSnAn418n41-°% 

An execution fragment a, of A is a prefix of an execution fragment a, of A, written 
a, < dQ», if either a, = a2, or a, is finite and there exists an execution fragment a} of A such 
that ay = a,~ a. 

Let @ = 89415,495--- be an execution fragment. The length of a is the number of actions 
occurring in a. The length is infinite for infinite execution fragments. Define the ith prefix, 
ith suffix, and (2, 7)-segment of a, for 0 <i <7 < jal, as 


al; S881 +++ 5; 
Ja 4 Sis Siar-+: if t < jal 
‘ Sha if a is finite and 7 = |a| 


a 
lO]; = Siig Sip1 ++ +458; 


The trace of an execution fragment a of an automaton A, written trace 4(a), or just trace(a) 
when A is clear from context, is the list obtained by restricting a to the set of external actions 
of A, i.e., trace(a) = a f ext(A), where f[ is the standard restriction operator on lists. Let @ 
be a sequence of actions from acts(A). Then, trace 4(), or just trace(3) when A is clear from 
context, denotes the list obtained by restricting @ to the set of external actions of A. For a set 
S of executions of an automaton A, denote by traces ,(5), or just traces(S) when A is clear 
from context, the set of traces of the executions in S. We say that @ is a trace of an automaton 
A if there exists an execution a of A with trace(a) = 3. Denote by traces*( A), traces*(A) and 
traces(A) the sets of finite, infinite and all traces of A, respectively. Note, that a finite trace 
might be the trace of an infinite execution. 


3.2 Live Automata 


The automaton A of Definition 3.1 can be thought of as expressing the safety properties of a 
system, i.e, what always holds, or equivalently what is never supposed to happen. The liveness 
properties of a system, i.e., what must eventually happen, can be expressed by a subset L of 
the executions of its safe part A, as proposed in [AL93]. Thus, informally, a live automaton is 
a pair (A, i) where A is an automaton and LF is a subset of its executions. The executions of 
L, which satisfy both the safety and liveness requirements of (A, L), are the only ones that can 
occur in the described system. However, in order to ensure that the set L of executions does 
not introduce any more safety than is already given by A, it should not be possible to violate 
fin a finite number of steps. As a consequence, any finite execution of A must be extendible 
to an execution in L. In fact, if the safe part A of live automaton (A, L) has a finite execution 
a that cannot be extended to an execution in £, then a cannot occur in the system described 
by (A, £), and thus LZ introduces the additional safety property that a cannot occur. Our 
restriction on the pair (A, L) implies that the pair (exec( A), L) is machine-closed as defined in 
[AL93]. 


Definition 3.2 (Live automaton) 


A liveness condition L for an automaton A is a subset of the executions of A such that any finite 
execution of A has an extension in JL, i.e., for each a € exec*(A) there exists an a’ € frag(A) 
such that a7 a’ € L. 

A live automaton is a pair (A, L), where A is an automaton and LF is a liveness condition 
for A. The executions of L are called the live executions of (A, L). a 


Informally, a liveness condition can be used to express (at least) two intuitively different 
requirements. First, a liveness condition can be used to specify assumptions about the long- 
term behavior of a system that are based on its physical structure. For example, it is reasonable 
to assume that two independent processes running in parallel are both allowed to make progress 
infinitely often. In a physical system this is ensured by executing the two processes on separate 
processors or by using a fair scheduler in a multiprogramming environment. The notion of 
fairness of I/O automata [LT87] exactly captures this particular physical assumption. Second, 
a liveness condition can be used to specify additional properties that a system is required to 
satisfy. For example, in a mutual exclusion problem we may require a process to eventually 
exit the critical region whenever it enters it. 

Even though a liveness condition can express many specific intuitive ideas, for the purpose 
of this paper a liveness condition simply represents the set of executions that a system can 
exhibit whenever it is “working properly”. 


3.3 Safe I/O Automata 


Our notion of safe I/O automaton is the same as the “unfair” I/O automaton of [LT87], i-e., 
the automaton obtained by removing the partition of the locally-controlled actions from an 
I/O automaton of [LT87]. 


Definition 3.3 (Safe I/O automaton) 


A safe I/O automaton A is an automaton augmented with an external action signature, 
esig(A) = (in(A), out(A)), which partitions ext(A) into input and output actions. In each 
state, each input action must be enabled. A is said to be input-enabled. 

The internal and output actions of a safe I/O automaton A are referred to as the locally- 
controlled actions of A, written local(A). Thus, local( A) = int(A) U out(A). = 


The interaction between safe I/O automata is specified by the parallel composition operator. 
We use the synchronization style of [Hoa85, LT87], where automata synchronize on their com- 
mon actions and evolve independently on the others. We also retain the constraint of [LT87] 
that each action is under the control of at most one automaton by defining parallel compo- 
sition only for compatible safe I/O automata. Compatibility requires that each action be an 
output action of at most one safe I/O automaton. Furthermore, to avoid action name clashes, 
compatibility requires that internal action names be unique. 


Definition 3.4 (Parallel composition) 


Safe I/O automata A,,..., Ay are compatible if for all 1 < i,j < N with 7 4 7, the following 
conditions hold: 


1. out(A;) M out(A;) = 0 

2. int(A;) M acts(A;) = 0 
The parallel composition A, || --- || Ay of compatible safe I/O automata A,,..., An is the safe 
I/O automaton A such that 

1. states(A) = states(.A,) x --- x states( Ay) 

2. start(A) = start(A,) x +--+ x start(An) 

3. out(A) = out(A,) U-+-U out( Ay) 

4. in(A) = (in(A,) U-+-U in(Ay)) \ out(A) 

5. int(A) = int(A,) U---U int( Ay) 

6. ((S1,.--,5N),4,(S),.-.,5y)) € steps(A) iff for all 1<i< N 

(a) if a € acts(A;) then (s;, a, s;) € steps( A;) 


(b) if a ¢ acts(A;) then s; = s/ = 


The executions of the parallel composition of compatible safe I/O automata A,,...,Any can 
alternatively be characterized as those executions that, when projected onto any component 
A;, yield an execution of A;. In particular, let A = A, || --- || Ay. First let s be a state of 


A. Then, for any 1 <i < N, define s[A; to be s projected onto the i" component. Now, let 
Q = 8941814252 --- be an alternating sequence of states and actions such that s, € states(A) 
and a, € acts(A), for all &, and a ends in a state if it is a finite sequence. Define a[ Aj, 
where 1 < i < N, to be the sequence obtained from a by projecting its states onto their i 
component and by removing each action not in acts(A;) together with its following state. 


Lemma 3.5 


Let A= A, || ---|| An. Let a = 5901514982 --+ be an alternating sequence of states and actions 
such that s, € states(A) and a, € acts(A), for all k, and a ends in a state if it is a finite 
sequence. Then a € exec(A) iff, for each i, a[ A; € exec(A;) and s;_,;[A; = s;|A; whenever 
a; ¢ acts(A;). 


Proof. The lemma is a direct consequence of Corollary 8 of [LT87]. a 


The parallel composition operator could alternatively be defined as a commutative and associa- 
tive (up to isomorphism) binary operator. Thus, the parallel composition of N I/O automata 
could be obtained by applying the binary composition operator N —1 times. We use the N-ary 
parallel composition operator since it provides a simpler and more direct notation. Finally, the 
parallel composition operator is restricted to the composition of finitely many I/O automata 
in order to preserve compatibility with the timed model, where composition of infinitely many 
live timed I/O automata is not possible. 


Parallel composition is typically used to build complex systems based on simpler components. 
However, some actions are meant to represent internal communications between the subcom- 
ponents of the complex system. The hiding operator of [LT87] changes some external actions 
into internal actions. 


Definition 3.6 (Action hiding) 


Let A be a safe I/O automaton and let A be a set of actions such that A C local(A). Then 
define A \ A to be the safe I/O automaton such that 


1. states(A\ A) = states(A) 
_ start(A \ A) = start(A) 

_ in(A\ A) = in(A) 

. out(A\ A) = out(A)\ A 

_ int(A\ A) = int(A)UA 

_ steps(A \ A) = steps(A) 7 
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Lemma 3.7 


Let A be a safe I/O automaton and A C local( A). Then exec( A \ A) = exec( A). 


Proof. The lemma is a direct consequence of Corollary 13 of [LT87]. a 


Several processes might be identical except for their actions’ names. The processes of a token 
ring communication network provide a classical example. Such processes can be specified 
by first defining a generic automaton representing the functionality of a generic token ring 
process, and then creating an instance for each process by renaming the actions of the generic 
automaton via an action renaming operation. Action renaming can also be used to resolve 
name clashes that lead to incompatibilities in Definition 3.4. 


Definition 3.8 (Action renaming) 


A mapping p from actions to actions is applicable to a safe 1/O automaton A if it is injective 
and acts(A) C dom(p). Given a safe I/O automaton A and a mapping p applicable to A, 
define p(A) to be the safe I/O automaton such that 


1. states(p(A)) = states( A) 


2. start(p(A)) = start(A) 


3. in((A)) = plin( A)) 


6. steps(p(A)) = {(s, p(a), s’) | (s, a, 8’) € steps( A)} = 


Lemma 3.9 


Let A be a safe I/O automaton and let p be a mapping applicable to A. For each execution 
a € exec(A), let p(a) be the sequence that results from replacing each occurrence of every 
action a ina by p(a). Then exec(p(A)) = {p(a) | a € exec(A)}. 


Proof. The lemma is a direct consequence of Lemma 15 of [LT87]. a 


3.4 Live I/O Automata 


In defining live I/O automata one could follow the approach of Definition 3.2 and define a 
live I/O automaton to be a pair (A, L) where A is a safe I/O automaton and L is a liveness 
condition for A. However, such a naive definition would not capture the fact that a live I/O 
automaton should behave properly independently of the inputs provided by its environment. 
Given the structure of our liveness conditions, such independence from the environment will 
prove to play a fundamental role in the proofs for the closure of live I/O automata under 
parallel composition and the substitutivity of our trace based preorders. 


Example 3.10 
Let A be a the safe I/O automaton described by the diagram, 


A: 8 


a,b 


) 


where a is an input action and 6 is an output action. Let L be the set of executions of 
A containing at least five occurrences of action a. JL is trivially a liveness condition for A; 
however, the pair (A, L) would not behave properly if the environment does not provide more 
than four a actions (recall that behaving properly means being an execution of L). | 


Some of the problems arising from the requirement that a live I/O automaton should behave 
properly independently of the inputs provided by its environment are addressed in [Dil88, 
AL93]. Their solutions lead to the notion of receptiveness. Intuitively a system is receptive if 
it behaves properly independently of the inputs provided by its environment, or equivalently, if 
it does not constrain its environment. The interaction between a system and its environment 
is represented as a two person game where the environment moves consist of providing an 
arbitrary finite number of inputs, i.e., in our model, a finite number of input actions, and the 
system moves consist of performing at most one local step, i.e., in our model, at most one 
locally-controlled step. A system is receptive if it has a way to win the game (i.e., to behave 
properly) independently of the moves of its environment. The fact that an environment move 
can include at most a finite number of actions represents the natural requirement that the 
environment cannot be infinitely faster than the system. 

The behavior of the system during the game is determined by a strategy. In our model 
a strategy consists of a pair of functions (g, f). The function g decides which of the possible 
states the system reaches in response to any given input action; the function f determines the 
next move of the system. The move can be a local step or no step (.L move). 


Definition 3.11 (Strategy) 
Consider any safe I/O automaton A. A strategy defined on A is a pair of functions (g, f) where 
g : ewec*(A) x in(A) — states(A) and f : evec*(A) — (local( A) x states(A)) U {L} such that 


1. g(a,a) = s implies aas € exec*( A) 


2. f(a) = (a,s) implies aas € exec*( A) a 


In the game between the environment and the system the moves of the environment are repre- 
sented as an infinite sequence 7, called an environment sequence, of input actions interleaved 
with infinitely many A symbols. The symbol A represents the points at which the system is 
allowed to move. The occurrence of infinitely many A symbols in an environment sequence 
guarantees that each environment move consists of only finitely many input actions. 
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Suppose the game starts after a finite execution a. Then the outcome of a strategy (9, f), 
given a and an environment sequence 7, is the extension of a obtained by applying g at each 
input action in Z and f at each A in Z. 


Definition 3.12 (Outcome of a strategy) 


Let A be a safe I/O automaton and (g, f) a strategy defined on A. Define an environment 
sequence for A to be any infinite sequence of symbols from in(A) U {A} with infinitely many 
occurrences of A. Then define Ri, 7), the next-function induced by (g, f) as follows: for any 
finite execution a of A and any environment sequence Z for A, 


(aas,Z’) if Z= AT’, f(a) = (a,s) 
Roy p(a,Z) = 4 (a,Z") ifZ = AT’, fla)=L 


(aas,Z’) iff =al', g(a,a)=s 


Let a be any finite execution of A and Z any environment sequence for A. The outcome 
sequence of (g, f) given a and T is the unique infinite sequence (a”,Z”),>0 that satisfies: 


e (a°, 7°) = (a,Z) and 
e for all n > 0, (a", 2") = Ry py(a"!,Z"7'). 
Note, that (@”)n>0 forms a chain ordered by prefix. 


The outcome Og s)(a,Z) of the strategy (g, f) given a and Z is the execution lim,_.. a”, 
where (a@”,Z”),>0 is the outcome sequence of (g, f) given a and Z and the limit is taken under 
prefix ordering. | 


Lemma 3.13 


Let A be a safe I/O automaton and (g, f) a strategy defined on A. Then for any finite execution 
a of A and any environment sequence I for A, the outcome Or, ;)(a,Z) is an execution of A 
such that a < Ov, )(a,Z). = 


The concepts of strategies and outcomes are used to define formally the property that a system 
does not constrain its environment. This property is called environment-freedom. Informally, 
environment-freedom requires that there exists a strategy, called an environment-free strategy, 
that allows the system to win every game against its environment. In other words, every 
outcome of the environment-free strategy should be an element of L. An important feature 
of the definition of environment-freedom is that it considers outcomes where the environment- 
free strategy for (A, L) is applied after any finite execution of A. The discussion following the 
definition shows that this feature leads to a clean separation of safety and liveness properties. 
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Definition 3.14 (Environment-freedom) 


A pair (A,L), where A is a safe I/O automaton and L C exec(A), is environment-free if 
there exists a strategy (g, f) defined on A such that for any finite execution a of A and any 
environment sequence Z for A, the outcome Oy, »)(a,Z) is an element of L. The strategy (4g, f) 
is called an environment-free strategy for (A, L). | 


Lemma 3.15 


Consider the pair (A,L), where A is a safe I/O automaton and L C exec(A). If (A, L) is 
environment-free, then L is a liveness condition for A. 


Proof. Consider any environment-free strategy (g, f) for (A, L), any finite execution a of A, 
and any environment sequence Z for A. Then, since (g, f) is an environment-free strategy for 
(A, L), the outcome Oy ¢)(a,Z) is an element of L. Furthermore, by Lemma 3.13, O(g,s)(a,Z) 
is an extension of a. Hence, any finite execution of A has an extension in L. | 


Definition 3.16 (Live I/O automaton) 


A live I/O automaton is a pair (A, L), where A is a safe I/O automaton and LE C exec(A), 
such that (A, L) is environment-free. = 


Example 3.17 


Consider the safe I/O automaton A described by the transition diagram below. 
© 
So i. S92 om ’») 
S4 ts S5 oa a) 


The unique start state of A is 5). Action 2 is an input action and action o is an output action. 
Let LE be the liveness condition for A consisting of the set of executions of A with at least one 
occurrence of action o. The pair (A, ) is not environment-free. Specifically, consider the finite 
execution @ = S ts, and the environment sequence Z = AAX.--. Performing action o after 
reaching state s4 requires receiving an input 2. Therefore, there is no strategy whose outcome 
given a and Z is an execution in L. 

Define a new automaton A’ from A by removing states 54, 85,5, and let L’ be the set 
of executions of A’ containing at least one occurrence of action o. Then the pair (A’, L’) is 
environment-free. Function f chooses to perform action 0 whenever applied to an execution 
ending in sg or 8 and chooses L otherwise; function g always moves to the only possible next 
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state. In [AL93] the pair (A, LZ) is said to be realizable and is identified with its realizable 
part (A‘, LE’). Realizability can be defined in our model by considering only those outcomes 
Ov,,7)(a,£) where a consists of a start state. However, the approach of [AL93] implies that 
state sq should never be reached in (A, L), thus adding new safety requirements to A via 
L. It is the requirement of our environment-freedom condition that Oy,,,(a,Z) C L for all 
a € exec*(A) which ensures that such new safety properties are not introduced. 

Let B be a safe I/O automaton that performs its unique output action 7 just once, and let 
Lp be the set of executions of B. The pair (B, Lg) is trivially a live I/O automaton. It is 
easy to see that the parallel composition (A, L) || (B, Lg) is not even a live automaton. Thus, 
realizable pairs are not closed under parallel composition. The reader is referred to Section 3.6 
for more details. | 


Remark 3.18 


Note that for a pair (A, L) to be environment-free, all input actions must be enabled in all 
reachable states. Consider any reachable state s of A and any finite execution a of A leading to 
state s. Since a must be extendible for all input actions that the environment might provide, 
each input action must be enabled in s. For this reason safe I/O automata are required to be 
input-enabled by definition. | 


The parallel composition, hiding and renaming operators can now be extended to live I/O 
automata by using the results of Lemmas 3.5, 3.7, and 3.9. 


Definition 3.19 (Parallel composition) 


Live I/O automata (A,, £1),...,(An, Ly) are compatible iff the safe 1/O automata A;,..., An 
are compatible. 


The parallel composition (A,, £1) || --- || (An, £y) of compatible live I/O automata 
(Ai, £1), ...,(An, Ln) is defined to be the pair (A,L) where A = A, || --- || Any and 
L = {a € exec(A) | a[ A; € Iy,...,a/ Ay € Ey}. = 


Definition 3.20 (Action hiding) 


Let (A, LZ) be a live I/O automaton and let A be a set of actions such that A C local(A). Then 
define (A, L) \ A to be the pair (A \ A, L). = 


Definition 3.21 (Action renaming) 


A mapping p from actions to actions is applicable to a live 1/O automaton (A, JL) if it is 
applicable to A. Let @ be an execution of (A, Z). Define p(a) to be the sequence that results 
from replacing each occurrence of every action a in a by p(a). Given a live I/O automaton 
(A, LE) and a mapping p applicable to (A, L), define p((A, L)) to be the pair (p(A), {p(a) | a € 
L}). = 
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All the operators above are closed for live I/O automata in the sense that they produce a new 
live I/O automaton whenever applied to live I/O automata. 


Proposition 3.22 (Closure of action hiding) 
Let (A,L) be a live 1/0 automaton and let A C local(A). Then (A,L)\ A is a live I/O 


automaton. 


Proof. To see that (A,L)\ A is a live I/O automaton it is sufficient to note that A\ A isa 
safe I/O automaton, L C exec(A \ A) (by Lemma 3.7), and that an environment-free strategy 
for (A, £) is also an environment-free strategy for (A, L) \ A. = 


Proposition 3.23 (Closure of action renaming) 


Let (A, L) be a live I/O automaton and let p be a mapping applicable to (A, L). Then p((A, L)) 
is a live I/O automaton. 


Proof. To see that p((A, L)) is a live I/O automaton it is sufficient to note that p(A) is a safe 
1/0 automaton, {p(a) | a € L} C exec(p(A)) (by Lemma 3.9), and that an environment-free 
strategy for (A, L) can easily be modified to be an environment-free strategy for p((A, L)). 
Specifically, since p is injective, any environment-free strategy (g, f) for (A, L) can be trans- 
formed into a new environment-free strategy (g,, f,) for p((A, L)) where 


Go( (2), p(a)) = gla,a) 


The analysis for the parallel composition operator is more complicated and needs some technical 
lemmas. Given (A,L) = (Aj, £1) || --- || (Aw, Ly), it is easy to see that A is a safe I/O 
automaton since its definition is based on the parallel composition of safe I/O automata. 
However, it is not as easy to see that the pair (A, /) is environment-free, and hence a live 
I/O automaton. The proof that (A, Z) is environment-free uses a strategy (g, f) for (A, L) 
based on environment-free strategies (g;, f;) for each of the (A;, ;), and shows that (g, f) is 
an environment-free strategy for (A, L). 

Function g should compute, given input a, the next state according to the g; functions of 
those components of A for which a is an input action, and simply leave the state unchanged 
for those components where a is not an action. 

Function f must ensure that every component of A gets a chance to control a step of 
A infinitely often. This fact accounts for much of the complexity in the definition of (4g, f). 
Ensuring that every component of A gets a chance to control a step infinitely often would most 
naturally be done by assigning the control of steps to components in a round robin fashion. The 
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round robin based approach, however, would give rise to a technical problem in the definition 
of f: since the only argument to f is a finite execution a, the component whose turn it is to 
control the step in the round robin schedule must be determined from a. Unfortunately, the 
finite execution a does not include enough information to make this determination. Consider 
the following scenario. Assume that it is component A;’s turn to control the step after a finite 
execution a. Assume further that A; decides to perform a L move and that the next input is a 
A symbol. In this case a will not change and, thus, it will again be A;’s turn to control the next 
step. Therefore, the round robin protocol is violated. The problem is, of course, that L and 
A moves are “invisible” in a. One solution to this problem would be to let f be a function of 
“extended” executions that contain information about L and A moves. The problem with this 
solution, however, is that it becomes messy due to the fact that this new notion of execution 
must keep track of L and A moves of subcomponents of components, and so on. An alternative 
solution, adopted in our definition of f, uses the number of locally-controlled actions in a 
to determine which component controls a step. If the component controlling a step wants 
to perform a 1 move but another component wants to perform a local step, a component 
wanting to perform the local step is given control. Thus a new locally-controlled action is 
added ensuring that another component will be given the opportunity to control the next step. 
Only if all components want to perform L moves, does f yield a 1 move. 

One final technicality in the definition of f is that it uses the g; functions. In particular, if 
a component performs a local step with action a, action a might be an input action of other 
components. In this case, the definition of f will need the g; functions of all those components 
for which action a is an input action. 


Definition 3.24 (Parallel composition of strategies) 


Let A = A, || --- || Aw be the parallel composition of compatible safe 1/O automata A,,..., Ay. 
For each finite execution a € exec*(A), let [(a@) be the number of occurrences of locally- 
controlled actions of A in a, ie., (a) = Ja f local(A)|, and let p(a) = (l(a) mod N) + 1. Let, 
foreach 1 <i< N, (gi, fi) be a strategy defined on A;. 


The parallel composition (91, fi) || --- || (gn, fv) of the strategies (q1, fi),.--,(gn, fn) is the 
pair of functions (g, f) defined as follows. 

Function g : exec*(A) x in( A) — states(A) is defined such that g(a,a) = s where, for each 
component A,, 


[A; = gilafA;,a) if a € in(A;) 
Shan = Istate(a)|A; otherwise 


Function f : exec*(A) — (local(A) x states(A)) U {L} is defined for a based on the following 
cases: 


1. If there exists A; such that f,(a[A;) # 1, then define k as follows. If foray(@[Apray) F L, 
then k = p(a). Otherwise, & is the minimum index ? such that f;(a[A;) # L. Now let 
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fr(a[A,) = (a, s,) and define f(a) = (a,s) where, for each component Aj, 


s[A; = 4 gi(a[Aj,a) if a € in(A;) 
Istate(a)|A; otherwise 


2. If fi(a[A;) = L for all A; 
then f(a) = L. = 


It is easy to see that the strategy of Definition 3.24 is indeed a strategy defined on A. 


Lemma 3.25 

Let A,,...,Ay be compatible safe I/O automata and let, for each 1 <i< N, (gi, f;) be a 
strategy defined on A;. Then (gi, fi) || +++ || (gu, fy) ts @ strategy defined on A, || --- || An. 
Proof. Let A = A, || --- || Aw and (g, f) = (gi, fi) || --+ || (gw. fx). From Definition 3.4, we 


know that A is a safe I/O automaton. Now the proof is a simple cases analysis on the different 
cases of Definition 3.24. In fact, for each one of those cases, it is sufficient to show that f and 
g give legal steps of A. | 


The following lemma is the key lemma for proving that the strategy of Definition 3.24 is 
environment-free if the component strategies are environment-free. The lemma shows that the 
projection of an outcome of the composed strategy onto any A; is an outcome of the strategy 
(gi, f;). Intuitively, this means that, even though the composed system uses its composed 
strategy to find its outcome, it still looks to each component as if it was using its own component 
strategy. 


Lemma 3.26 
Let A,,...,Ay be compatible safe I/O automata and, for each 1 <i < N, let (gj, f;) be a 
strategy defined on A;. Let A= A, || ---|| An and let (g, f) = (gi, fi) || --- |] Can, fv). 


Furthermore, let a be an arbitrary finite execution of A, I be an arbitrary environment 
sequence for A, andi, with1 <i< N, be an arbitrary index. Then, there exists an environment 


sequence I; for A; such that Ov sy(a,Z)[ Ai = O¢g,,¢,)(@[ Ai, Zi)- 


Proof. From Definition 3.4 we know that A is a safe I/O automaton. Furthermore, by 
Lemma 3.25, (g, f) is a strategy defined on A. 

Let Rigs) and Rig, 7,) be the next-functions induced by (g, f) and (gj, f;), respectively. 
Also, let (a”,Z”)n>o be the outcome sequence of (g, f) given a and Z. Then Oy, ,)(a,Z) = 
lim,+.@”. Finally, for any finite execution a’ € exec*(A), let [(a’) be the number of oc- 
currences of locally-controlled actions of A in a’, i.e., [(a’) = |a’ f local(A)|, and let p(a’) = 
(I(a’) mod NV) +1. (See Definition 3.24.) 
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The first step of the proof consists of constructing an environment sequence Z; such that 
Og, (@,Z)[Ai = Og.,7(@[ Ai, Zi). The construction of Z; is inductive on n. Along with 
Z;, the inductive definition constructs an outcome sequence (aj, Z});>0 of (g:, f:) given a[ A; 
and 7;, and a total nondecreasing mapping m with signature No — No, which, informally, 
maps elements of the outcome sequence (a@”,Z”),>0 to their corresponding elements of the 
outcome sequence (a1, T)js0- The n‘” step of the inductive construction of Z; defines the 
(m(n —1)+1)",...,m(n)" elements of Z;, which are denoted by Zjimn—1)415 ++ +> Zim(n)- 

Along with the inductive definitions, three properties are proven: the first property shows 
the correspondence between a” and ain”). the second and third property are used to show 
that (at, Z)js0 is indeed an outcome sequence of (g;, f;) given a[A,; and Z;. Formally, the 
properties are written as follows. 


P1 a"[A; = 0"™. 
P2 Ifn>0 and m(n) = m(n —1)41 then (al, 2) = Reg. ¢ (Qn, Zimin))- 


a a 


P3 If n > 0 and m(n) = m(n—1) +2 then (a "",2) = Ry, 7p (a, Zi mony—1) and 
(a) e) = Reg, ¢ (Or "Zi mony) 


The base part of the proof is trivial. The inductive part of the proof is divided into cases based 
on the definition of Ri, ¢) (c.f. Definition 3.12) and then subcases based on the definition of 
(g, f) (c-f. Definition 3.24). 


Base case n = 0: 
Define: m(0) = 0 
a) = ofA; 


P1 By definition. 
P2 Vacuously satisfied. 


P3 Vacuously satisfied. 


Inductive step n > 0: 


Assume P1—P3 hold for all k < n. The definition of Rig) suggests three cases which are 
considered in order. 


Case 1 (a",Z") = (a"~'as, tail(Z"~!)) where f(a"~') = (a,s) and head(Z"~') = X. 
The definition of f in Definition 3.24 suggests the following sub cases: 
Case 1.1 p(a”"~') =i and a € acts(A;). 


Define: m(n) = m(n—1)+1 
ain”) _ aint) 
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Pl 


P2 


P3 


Since p(a"~') = i and a ¢ acts(A;), case 1 of the definition of f shows that 
s[ A; = Istate(a"~')[A;. Now, 
a" | A; (a"~tas)[A; 


Jes [Jo |] | 
oS & 
3 73 

= 

3 

- 

— 


where steps | and 4 follow from the definitions made in this case, step 2 follows 
from the fact that s[A; = Istate(a"~')[A; and s ¢ acts(A;), and step 3 follows 
from the induction hypothesis. 


Since p(a"~') = i and a ¢ acts(A;), case 1 of the definition of f shows 
that fi(a"~'[A;) = L. Based on the induction hypothesis flare-D) = 


fi(a"—'[A;), so flare) = 1. Now case two of the definition of Ry,, 7.) 
confirms that (a) e) = Req, (ar, Zi mny)+ 


a 


Vacuously satisfied. 


Case 1.2 p(a"~') =i and a € in(A,). 


Define: m(n) = m(n — 1) +2 


Pl 


P2 
P3 


ain(n)=1 _ aint) 
a) = a ™™ las A; 
Zi m(n)-1 =A 
Li m(n) =a 

In this case, 


a” [ A; 


Hor [}& [fe [Joo [Pe 


follows from the fact that a € acts(A;), and step 3 follows from the induction 
hypothesis. 

Vacuously satisfied. 

Since p(a”~') = t and a € in(A;), case 1 of the definition of f shows that 
fi(a®-![A;) = L. Based on the induction hypothesis f;(a7""~") = f,(a"-"[A,), 
so flare?) = 1. Now case two of the definition of Ry, 7,, confirms that 
(ar es) = Rea, ¢ (Or), Ti min)—1)- 

Since a € in(A;), case 1 of the definition of f shows that g;(a"~'[Aj;,a) = 
s[A;. Based on the induction hypothesis g(a) a) = g;(a"—'[A;,a). By 
definition g(a! ,a) = g(a", a), 80 g(a", a) = s[A;. Now case 
three of the definition of Ry, ;,) shows that (a) 2) = Regt (, Zimn))- 
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Case 1.3 p(a”) =7 and a € local(A;) or p(a”) #2 and a € local(A;). 
Define: m(n) = m(n—1)+1 
a”) = a™™Vasl A; 
P1 In this case, 
a” [ A; 


IPs [Jo [Je (le 


where steps Land 4 follow from the definitions made in this case, step 2 follows 
from the fact that a € acts(A;) and step 3 follows from the induction hypothesis. 
P2 Since a € local(A;), case 1 of the definition of f shows that f;(a"~'[A;) = 
(a,s[A;). Based on the induction hypothesis f;(a7""~) = f,(a"-'[A;), so 
fila’) = (a,s[A;). Now case one of the definition of Rog,,7,) confirms that 
(a) 6) = Ry par), Zi mony) 
P3 Vacuously satisfied. 


Case 1.4 p(a”) #i and a € in(A;). 
Define: m(n) = m(n—1)+1 
a”) = a™™Vasl A; 
Li m(n) =a 
P1 In this case, 
a” [ A; 


IPs [eT] (A 


where steps land 4 follow from the definitions made in this case, step 2 follows 
from the fact that a € acts(A;) and step 3 follows from the induction hypothesis. 
P2 Since a € in(A;) case 1 of the definition of f shows that g;(a"~'[Aj;,a) = 
s[A;. Based on the induction hypothesis g(a) a) = gi(a"~'[A;, a), so 
gla’) a) = s[A;. Now case three of the definition Rog,,f,) confirms that 
(a) 6) = Ry par), Zi mony) 
P3 Vacuously satisfied. 


Case 1.5 p(a”) #i and a ¢ acts(A,). 


Define: m(n) = m(n— 1) 
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P1 Since p(a"~') 
s[A; = Istate(a”~*)[A;. Now, 
a"[A; = (alas) A; 


Jes [Jo |] | 
oS & 
3 73 

= 

3 

- 

— 


where steps | and 4 follow from the definitions made in this case, step 2 follows 
from the fact that s[A; = Istate(a"~')[A; and a ¢ acts(A;), and step 3 follows 
from the induction hypothesis. 

P2 Vacuously satisfied. 

P3 Vacuously satisfied. 


Case 2 (a",7”") = (a"~!, tail(Z"~')) where f(a"~') = L and head(Z"~') = X. 


Define: m(n) = m(n—1)+1 
ain”) _ aint) 


P1 In this case, 


a” [ A; a’ 1 [ A; 


aint) 


Ie [lo (le 


m(n) 


where steps 1 and 3 follow from the definitions made in this case, step 2 follows from 


a 


the induction hypothesis. 


P2 Since f(a"~!) = L, case 2 of the definition of f shows that f,(a"~'[A;) = L. Based 
on the induction hypothesis filareY) = f(a" (Ai); so fla") = L. Now 
case two of the definition of Ry, ;,) confirms that (a, 2) = Reg, p (a), Zi miny)- 


P3 Vacuously satisfied. 


Case 3 (a",Z") = (a"~'as, tail(Z"~')) where g(a"~', a) = s and head(Z"~') = a. 
The definition of g in Definition 3.24 suggests the following sub cases: 
Case 3.1 a € in(A;). 


Define: m(n) = m(n—1)+1 
a”) = a™™Vasl A; 


Li m(n) =a 
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P1 In this case, 
a" | A; a"~tas)[ A; 

"1! A;as| A; 

mn—Dag [ A; 

4 ain”) 

where steps | and 4 follow from the definitions made in this case, step 2 follows 

from the fact that a € acts(A;) and step 3 follows from the induction hypothesis. 


P2 The definition of g shows that g;(a"~'[A;,a) = s[A;. Based on the induction 
hypothesis, gla”) a) = g;(a"—![A;, a), so g(a”) a) = s[A;. Now case 
three of the definition of Rig, ,) shows that (a7, 2) = Reg, p (a), Ti mon))- 


P3 Vacuously satisfied. 


Q 
Q 


Js [Jeo [Jr [Je 


Case 3.2 a ¢ in(A;). 
Define: m(n) = m(n— 1) 


P1 The definition of g shows that s[A; = Istate(a"~')[A;. Then, 
a" | A; (a"~tas)[A; 

aA; 

aint) 

4 ain”) 
where steps | and 4 follow from the definitions made in this case, step 2 follows 
from the fact that s[A; = Istate(a"~')[A; and a ¢ acts(A;), and step 3 follows 
from the induction hypothesis. 

P2 Vacuously satisfied. 


P3 Vacuously satisfied. 


Js [Jeo [Jr [Je 


This concludes the inductive definition and induction proof. 


The second part of the proof consists of showing that Z; is indeed an environment sequence 
for A;. Denote the generic 7** element of Z; by Z;;. The sequence Z; is well defined since 
Zi mn) is defined whenever m(n) = m(n—1)+ 1 and Zj mny-1 and ZL; min) are defined whenever 
m(n) = m(n—1)+2. Showing that Z; is an environment sequence for A; induces two proof 
obligations: 


1. Z;; € in(A;) U {A} for all 7 > 0. 
This follows immediately from the definition of Z;; in the induction. 


2. There are infinitely many 7 > 0 such that Z;; = X. 


Since Z is an environment sequence, it contains infinitely many elements. Thus, the 
induction has infinitely many steps (i.e, m — oo). For every step, all cases of the 
induction except 1.4, 1.5, 3.1, and 3.2 define a new element Z;; such that Z;; = A. Thus, 
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the proof obligation is met as long as there exists no n, > 0 such that for all n > n, 
every step of the induction leads to case 1.4, 1.5, 3.1, or 3.2. For a contradiction assume 
such an n, exists. Consider the following observations about cases 1.4, 1.5, 3.1 and 3.2. 
If the n‘” step leads to cases 3.1 or 3.2, then I(a”) = I(a"~'). If the n‘” step leads to 
case 1.4 or 1.5, then [(a") = I(a”~') + 1. Furthermore, cases 1.4 and 1.5 require that 
pia") # i, where p(a"~') = (I(a"~') mod N)+1. Thus, since N is finite, there can be 
at most finitely many steps after the n‘” step that lead to case 1.4 or 1.5, i.e., as many 
as necessary to get p(a”—') = 7. In other words, there exists a number n, > no such that 
for each n > n, the n*® step leads to case 3.1 or 3.2. However, since Z is an environment 
sequence, for infinitely many n such that n > n,, head(Z"~') = A. Now there is a 
contradiction since the n‘” step cannot lead to case 3.1 or 3.2 when head(Z"~') = X. 


An immediate consequence of the fact that Z; contains infinitely many A symbols is that 
limy oo m(n) = oo. In fact, m(n) > m(n — 1) whenever Zin) = A. 


The final step of the proof consists in showing that (a?,Z"),>0 is the outcome sequence of 
(gi, f;) given a[ A; and Z;, and thus that Oc, ,)(a,Z)[Ai = Ocy,,¢(@[ Ai, Z,;). Let Z? denote the 
suffix of Z; generated by removing the first n elements of Z;. By definition, (a?, Z?) = (af Aj, Z;). 
Thus it must be verified that for all n > 0, (a?,Z?) = Rig, s)(a?-',Z?-'). This fact follows 
directly from P2 and P3 and the following observation: “For any strategy (g’, f’) defined on 
any safe I/O automaton A’, any pair of executions a’,a’ € exec*(A’), and any environment 
sequence Z', (a’, tail(Z')) = Rig py (a", Z') iff (ae) = Reg pry (a, head(Z')).” Since (a?, Z? )n>o 
is an outcome sequence of (g;, f;) given a[A; and Z;, the definition of an outcome shows that 
Ovg,,7(@[ Ai, Zi) = lim, a}. Thus, 

Oog, (0,2) [Ai (limp oo a” )[ A; 
limyoo(a”[ Az) 
min), 


a 


limyoo(a 
limy oo (a?) 
= Og. f)(@[ Ai, Zi) 

where step 1 follows from the definition of a”, step 2 follows from the continuity of the pro- 
jection operator, step 3 follows from P1, step 4 follows from the fact that lim, m(n) = 00 


and the family (a?),>9 form a chain ordered under prefix, and step 5 from the fact that 


Jor [Js [Jee [Jeo [[e 


Org, (@[ Ai, Zi) = lim, 65 ay. |_| 
Lemma 3.27 

Let (Ay, 11)...,(An, Ly) be compatible live [/O automata and, for each 1 <i< N, let (gi, fi) 
be an environment-free strategy for (A;, L;). Then (qi, fi) || --- || (gn, fx) is an environment- 
free strategy for (Ai, £4) || --- || (An, Ly). 

Proof. Let (A, 1) = (Ai, 11) || +++ || (Aw, £y) and (9, f) = (1A) || +++ Il (gw, fv). From 


Definition 3.4, we know that A is a safe I/O automaton. Furthermore, from Definition 3.19, 
Lemma 3.5, and the fact that each L; C exec(A;), the set L is a subset of exec( A). 


22 


Consider any environment sequence Z for A and any finite execution a of A. By Lemma 3.26 
there exists for all A; an environment sequence Z; such that Oy, ,)(a@,Z)[ A; = Ory,,7,(a[ Ai, Zi). 
Since (gj, f;) is an environment-free strategy for (Aj, L;), Ocg,,,(a[Ai, Zi) € £; Consequently, 
Ov, (a,L)[ Ai € £; for all (A;, L;). From Definition 3.19, Oj, p(a,Z) € L. Thus (g, f) is an 
environment-free strategy for (A, L). = 


Proposition 3.28 (Closure of parallel composition) 


Let (A, L1),...,(An, Ly) be compatible live [/O automata. Then (A, L;) || --- || (An, Ly) ts 
a live I/O automaton. 


Proof. Let (A,L) = (Ai, £1) || --- || (An, £y). From Definition 3.4, we know that A is a 
safe I/O automaton. Furthermore, from Definition 3.19, Lemma 3.5, and the fact that each 
L; © evec(A;), the set L is a subset of exec( A). 

For each 1 <i < N, let (g;, f;) be an environment-free strategy for (A;, L;). By Lemma 3.27 


the strategy (g, f) = (gi, fi) || --- || (gu, fv) is an environment-free strategy for (A, L). There- 
fore, the pair (A, ) is environment-free. Thus, from Definition 3.16, (A, £) is a live I/O 
automaton. a 


Environment-freedom is a crucial property of live I/O automata since it guarantees that no 
pair of compatible live I/O automata constrain each other’s environments. In particular, if 
pair (A, Z) is not environment-free, the parallel composition operator may generate pairs that 
are not even live automata. 


Example 3.29 


Consider safe I/O automata A and B described by the state transition diagrams below. 


A: Ci B: ce 


a,b a,b 


For A, action 6 is an input action, and action a is an output action; for B, action a is an 
input action and action 6 is an output action. Let the liveness condition L,4 for A be the set 
of executions a of A such that trace(a) ends in (ab)* or a®, and let the liveness condition Dy 
for B be the set of executions a of B such that trace(a) ends in (aabb)™ or b™. 

The pairs (A, £4) and (B,L,) are not environment-free. To see that (A, 24) is not 
environment-free consider the environment sequence J = bbAbbA--+ to see that (B, Lg) is 
not environment-free consider the environment sequence J = aaaXaaar---. 

Let (C, Lc) = (A, La) || (B, Lg). In this case, Le = 0. Thus L¢ is not a liveness condition 
for C, which means that (C, Lc) is not even a live automaton. a 
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Example 3.29 also exposes the flaw in a simpler and more intuitive definition for environment- 
freedom we originally considered for this paper. The simpler definition, which is a natural 
generalization of the fairness condition of [LT87] and is also discussed in [L589], states that “a 
pair (A, L) is environment-free if for each finite execution a of A and each (finite or infinite) 
sequence 7 of input actions there is an execution fragment a’ of A such that a/[in(A) = 6 
and a7 a’ € L.” It is easy to see that the pairs (A, £4) and (B, Lg) of Example 3.29 are 
both environment-free based on the simpler definition. However, the example shows that their 
composition cannot be a live I/O automaton. The problem with the simpler definition is that 
it allows the system to choose its relative speed with respect to the environment, and it allows 
the system to base its decisions on the future behavior of the environment. Example 3.29 shows 
that the simpler definition thus gives the system too much power for parallel composition to 


be closed. 


3.5 Preorder Relations for Live I/O Automata 


In [LT87, Dil88, AL93] the notion of implementation is expressed through some form of trace 
inclusion. Similar notions of implementation can be defined on live I/O automata. In particular 
it is possible to identify two preorder relations, the safe and the live preorders, which aim at 
capturing the safety and liveness aspects of live I/O automata, respectively. 


Definition 3.30 (Trace preorders) 


Given two live I/O automata (A;, £,) and (As, £2) such that esig( A) = esig( Az), define the 
following preorders: 


Safe: (Ai, £1) Cs (Ao, Le) iff = traces(.A,) C traces( Az) 
Live: (Ai, £1) Cy (As, 2) iff traces( £1) C traces(L2) | 


The safe preorder is the same as the unfair preorder of I/O automata [LT87], while the live 
preorder is a generalization of the fair preorder of [LT87]. In particular, the live preorder 
coincides with the fair preorder if, for each live I/O automaton (A, L), L is chosen to be the 
set of fair executions of A. The conformation preorder of [Dil88], which expresses the notion 
of implementation for complete trace structures, coincides with the live preorder when dealing 
with failure free complete trace structures. Finally, the notion of implementation of [AL93], 
which works in a state based model, coincides with the live preorder up to a different notion 
of traces arising from the state structure of the model. In [AL93], a system M, implements a 
system Mz, iff the set of “traces” of the realizable part of M, is a subset of the set of “traces” 
of the realizable part of M.. Furthermore, if a system M is receptive, then M is equal to its 
realizable part. Thus, for receptive systems, the implementation notion of [AL93] is just the 
live trace preorder. The reader is referred to Section 3.6 for more details about realizability. 
It is interesting to note that the live preorder implies the safe preorder whenever the involved 
automata have finite internal nondeterminism. On the other hand, if the involved automata do 
not have finite internal nondeterminism, the live preorder only implies finite trace inclusion. 
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Essentially, finite internal nondeterminism requires that a live I/O automaton has a finite 
internal branching structure. In particular, an external action can lead to only a finite number 
of states, and a state may enable at most a finite number of internal actions. 


Definition 3.31 (Finite internal nondeterminism) 


An automaton A has finite internal nondeterminism (FIN) iff, for each finite trace @ € 
traces*(A), the set {Istate(a) | a € exec*(A), trace(a) = 3} is finite. = 


Proposition 3.32 
Let (A,, £1) and (A, L) be two live I/O automata with esig( A,) = esig( Az). 


1. If (Ai, £1) Cy (Ao, Le) then traces*(A,) C traces*( Az) 
2. If A» has FIN and (Ay, £1) Ly, (Az, Le), then (Ay, £1) Lg (Ao, D2) 


Proof. 


1. Let @ be a finite trace of A,. By definition of trace, there is an execution a, of A, such 
that trace(a,) = 3. By definition of a live I/O automaton there exists an execution a, of 
A, such that a, < aj and aj € Ly. Since (A;, £1) Cy (Ag, £2), there exists an execution 
a‘, of Ly such that trace(a‘,) = trace(a‘). By definition of a live I/O automaton, a’, is an 


execution of Az, and, since the set of executions of an automaton is closed under prefix, 
there is a prefix a, of a4, such that a, is an execution of Ay and trace(az) = P, ie., 2 is 
a trace of Ao. 


2. Finite trace inclusion follows directly from part 1. Infinite trace inclusion follows from 
finite trace inclusion, closure under prefix of trace sets, and the fact that trace sets 
of automata with finite internal nondeterminism are closed under prefix ordering limit 


[LV91]. a 


The proof of Proposition 3.32 supports the requirement of our definition of a liveness condition 
(Definition 3.2) that every safe execution be extendible to a live execution. Without this 
requirement, the live preorder could not be used to infer the safe preorder, i.e., neither part of 
Proposition 3.32 would hold. 


An important goal of this paper is the substitutivity of the safe and live preorders for the 
operators of Section 3.4. In the case of the parallel composition operator, this means that 
an implementation of a system made up of several parallel components can be obtained by 
implementing each component separately. 


Theorem 3.33 (Substitutivity) 


Let (A;, L;), (Aj, i), t= 1,...,N be live I/O automata, and let Cy be either Cs or Cy. If, 
for each i, (Aj, £;) Cx (Aj, £1), then 
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1. if (Ai, £1),...,(An, Ly) are compatible and (Aj, £4),...,( AN, LN) are compatible then 
(Ai, Li) (Aw, Ly) Ex (At, LA) Aly, 2) 

2. if AC local(A,) and A C local( A‘) then 
(Ai, fi) \A Ex (AY, i) \ A 


3. if p is a mapping applicable to both A, and Aj, then 
p((A1, £1)) Ex p((At, £4) 


Proof. The substitutivity results for the safe trace preorder are already proven in [LT87]. 
The substitutivity results for the live trace preorder follow directly from the definitions of 
the parallel composition, hiding, and renaming operators after observing, as it is proved in 
Corollaries 8, 13 and Lemma 15 of [LT87], that parallel composition, hiding and renaming of 
execution sets preserve trace equivalence. a 


The following example shows that the absence of environment-freedom can lead to situations 
where the substitutivity result of Theorem 3.33 breaks down. 


Example 3.34 


Consider the safe I/O automata A,, Ay, and Az with the transition diagrams below. 


Aj Ay As 
af $0 $0 

ZOo™ 

$1 $2 
Cw) 
where a and b are output actions for A; and Az and are input actions for As. Let L, (resp. Ls) 
be the set of executions of A; (resp. A») containing at least one action and let Ls be the set 
of executions of As containing at least one occurrence of action a immediately followed by an 
occurrence of action b. It is easy to check that (A,, £,) and (Ag, Lz) are both environment-free, 
but (As, £3) is not environment-free since it requires at least one input. 

Observe that (A;, £,) Cy, (Ao, £2) and that (As, £2)||(A3, Ls) is environment-free and thus a 
live I/O automaton. One might want to conclude that (A;, £1)||(As, £3) Er, (Ae, £2)||(As, Ls). 


Unfortunately, this conclusion is false. In particular, let (A, £) = (Aj, £,)||(As, £3). Then, the 
set FL is not a liveness condition since A, can never perform an action a followed by an action 


b. Thus, the fact that (A3, £3) is not environment-free causes situations where the parallel 
composition with (As, £3) fails to lead to a pair (A, Z) where F is a liveness condition. This 
in turn causes the substitutivity of the parallel composition operator to fail. | 


There are several ways in which the live preorder can be justified as an adequate notion of 
implementation for live I/O automata. Since the live preorder captures the implementation 
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notions of [LT87, Dil88, AL93] it can rest on the justifications provided for these implementa- 
tion notions. For example, the fair preorder of [LT87] is justified by two observations. First, 
the fact that I/O automata are input-enabled guarantees that a system must respond to any 
environment. In our model the same property is guaranteed by the concept of environment- 
freedom. Second, by restricting attention to fair traces the correctness of an implementation 
is based only on executions where the system behaves fairly. In our model this property is 
guaranteed by restricting attention to live traces. 

An additional justification for the live preorder as a notion of implementation is based on 
the concepts of safety and liveness properties. It is easy to see that the safe preorder preserves 
the safety properties of a system, i.e., the safe preorder guarantees that an implementation 
cannot do anything that is not allowed by the specification. The live preorder, on the other 
hand, preserves the liveness properties of a system, thus guaranteeing that an implementation 
must do something whenever it is required to by the specification. Informally, if after a sequence 
of actions 3 something has to happen, / is not a live trace of the specification, and thus not 
a live trace of the implementation. Therefore, even in the implementation something has to 
happen after 9 has occurred. If the involved systems have finite internal nondeterminism, then 
the live preorder implies the safe preorder. Thus the live preorder guarantees both safety and 
liveness properties. 


3.6 Comparison with Other Models 


This section compares our model with the models of [Dil88, LT87, AL93] and the work of 
[RWZ92]. 


The model of complete trace structures of [Dil88] is a special case of our model. Specifically, 
the model of [Dil88] does not include a state structure, so that the safe part of a live automaton 
in [Dil88] is given by a set of traces. Since there is no notion of a state in a complete trace 
structure, a strategy for a system is simpler than our strategies in the sense that function 
g is not necessary and that function f simply picks up a locally-controlled action based on 
previous environment moves. By ignoring the state structure of a system, the model in [Dil88] 
may erroneously view as receptive a state machine that is not environment-free based on our 
model since its traces may be receptive. Thus, complete trace structures are not adequate 
whenever the state structure of a system is important. 


The I/O automaton model of [LT87] is also a special case of our model. An I/O automaton 
M of [LT87] can be represented in our model as the environment-free pair (A, ), where A is 
the I/O automaton M without the partition of its locally-controlled actions and L is the set 
of fair executions of M. The environment-free strategy (g, f) for (A, L) is defined in such a 
way that g picks up any possible next state in response to an input action, while f gives fair 
turns to proceed (say in a round robin way) to all the components of M that are continuously 
willing to perform some locally-controlled action. Thus [LT87] can only express some special 
cases of our general liveness conditions. 


The model of [AL93] is based on unlabeled state transition systems and is suitable for the 
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modeling of shared memory systems. An action in [AL93] is identified with a set of transi- 
tions, and transitions are partitioned into environment transitions and system transitions. The 
environment moves by performing an arbitrary finite number of environment transitions and 
the system responds by performing zero or one system transitions. Function g is not necessary 
in a strategy for a system of [AL93] since the environment chooses the next shared state in its 
move and does not modify the internal state. Function f chooses a new transition based on 
the past history of the system. 

A fundamental difference between [AL93] and our work is in that we define environment- 
freedom by requiring the existence of a strategy that can “win the game” after any finite execu- 
tion a, whereas [AL93] considers a weaker property, called realizability, where the requirement 
is the existence of a strategy that can win starting from any start state (cf. Example 3.17). 
The realizable part of a system of [AL93] is the set of behaviors that can be the outcome of 
some strategy. A system is then receptive if it coincides with its realizable part. The notion of 
receptiveness of [AL93] corresponds to our notion of environment-freedom, as can be derived 
easily from Proposition 9 of [AL93]. 

Example 3.17 shows a live automaton (A,/), which is not environment-free. However, 
(A, L) is realizable, and (A’, L’), which is defined in the same example, is the realizable part of 
(A, L). In [AL93] systems are compared based on their realizable parts. Thus, it is necessary 
to determine the realizable part of a system before its safety properties can be determined, 
and for this reason realizable systems are closed under parallel composition in [AL93]. In 
other words, L can add new safety properties to A. However, later in [AL93] a notion of 
machine-realizability is introduced which separates safety and liveness properties and requires 
receptiveness, or equivalently environment-freedom, just like our live I/O automata. 


Finally, it is easy to show, given our definition of environment-freedom, that the set of live 
traces of any live I/O automaton is union-game realizable according to [RWZ92], and thus 
describable by means of a standard I/O automaton of [LT87]. However, in general the I/O 
automaton description would involve a lot of encoding and would be extremely unnatural. 


4 Timed Systems 


The notion of liveness discussed in the previous section is now extended to the timed model. 
Section 4.1 introduces témed automata along with timed executions and timed traces, and 
shows the relationship between the new timed executions and the ordinary executions from 
the untimed model. Section 4.2 introduces live timed automata. Section 4.3 defines safe timed 
I/O automata by introducing the Input/Output distinction. Section 4.4 extends the notion 
of environment-freedom to the timed model and defines live timed I/O automata. Section 4.5 
introduces several preorders on live timed I/O automata, one of which is used to express a 
notion of implementation. Finally, Section 4.6 compares our model with existing work. Since 
Examples 3.10, 3.17, 3.29, and 3.34 apply equally to the timed model, our discussion focuses 
on issues specific to the timed model. 
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4.1 Timed Automata 


The following definition of a timed automaton is the same as the corresponding definition 
in [LV93b] except for the fact that our definition allows multiple internal actions. Also, the 
notions of timed executions and timed traces are the same as the definitions of [LV93b]. The 
definitions are repeated here but the reader is referred to [LV93b] for further details. Times 
are specified using a dense time domain T. In this work, as in [LV93b], let T be R2°, the set 
of non-negative reals. 


Definition 4.1 (Timed automaton) 


A timed automaton A is an automaton whose set of external actions contains a special time- 
passage action v. Define the set of visible actions to be vis(A) = ext(A) \ {v}. 

As an additional component, a timed automaton contains a mapping now, : states( A) > T 
(called now when A is clear from context), indicating the current time in a given state. 


Finally, A must satisfy the following five axioms 
S1 If s € start(A) then s.now = 0. 
S2 If (s,a,s’) € steps(A) anda # v, then s’.now = s.now. 
S3 If (s,v,s') € steps(A) then s’.now > s.now. 
S4 If (s,v,s') € steps(A) and (s',v,s") € steps(A), then (s,v, 8") € steps(A). 


To be able to state the last axiom, the following auxiliary definition is needed. Let J be an 
interval of T. Then a function w : J — states( A) is an A-trajectory, sometimes called trajectory 
when A is clear from context, if 


1. w(t).now = t for all ¢ € J, and 
2. (w(t), v,w(t’)) € steps( A) for all t,t € J with t< t’. 


That is, w assigns to each time ¢ in the interval J a state having the given time ¢ as its now 
component. The assignment is done in such a way that time-passage steps can span between 
any pair of states in the range of w. Denote inf(/) and sup(I) by ftime(w) and Itime(w), 
respectively. If J is left closed, then denote w(ftime(w)) by fstate(w). Similarly, if J is right 
closed, then denote w(Itime(w)) by Istate(w). If I is closed, then w is said to be an A-trajectory 
from fstate(w) to Istate(w). An A-trajectory w whose domain dom(w) is a singleton set [f, ¢] is 
also denoted by the set {w(t)}. The range of w is denoted by rng(w). 


The final axiom then becomes 


S5 If (s,v,s') € steps(A) then there exists an A-trajectory from s to s’. a 


Axiom S1 states that time must be 0 in any start state. Axiom S2 says that non-time-passage 
steps occur instantaneously. In this framework, operations with some duration in time are 
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modeled by a start action and an end action. Axiom S3 says that time-passage steps cause 
time to increase. Axiom S4 gives a natural property of time, namely that if time can pass in 
two steps, then it can also pass in a single step. Finally, Axiom $5 says that if time can pass 
from time t to time t’, then it is possible to associate states with all times in the interval [t, t’] 
in a consistent way. In [LV93b] the last axiom is explained further and compared to the weaker 
axiom that says the following: if time can pass in one step, then it can pass in two steps with 
the time of the intermediate state being any time in the interval. 


Timed Executions 


Section 3 introduced the notions of execution and trace for automata. These notions carry 
over to timed automata with the addition of one new idea. 

In particular, the notion of execution only allows one to associate states with a countable 
number of points in time, whereas the trajectory axiom $5 allows one to associate states with 
all real times. Also, the intuition about the execution of a timed system is that visible actions 
occur at points in time, and that time passes “continuously” between these points. These 
observations lead to the definition of a timed execution. The definition is close to the notion of 
hybrid computation of [|MMP91] where continuous changes and discrete events alternate during 
the execution of a system. 


A timed execution fragment \ of a timed automaton A is a (finite or infinite) sequence of 
alternating A-trajectories and actions in vis( A) U int(A), starting in a trajectory and, if the 
sequence is finite, ending in a trajectory 


y= Wy A1W1AoWess: 
such that the following holds for each index i: 


1. If w; is not the last trajectory in /, then its domain is a closed interval. If w; is the last 
trajectory of % (when ™ is a finite sequence), then its domain is a left-closed interval 
(and either open or closed to the right). 


2. If w; is not the last trajectory of S, then (lstate(w;), aj41, fstate(w;41)) € steps( A). 


A timed execution is a timed execution fragment woa Ww doW,--- for which fstate(wo) is a start 
state. 

If “ is a timed execution fragment, then define ftime() and fstate(X) to be ftime(wo) and 
fstate(wo), respectively, where wo is the first trajectory of %. Also, define ltime(X) to be the 
supremum of the union of the domains of the trajectories of , i.e. the supremum of the now 
values of all the states in the ranges of the trajectories of %. Finally, if © is a finite sequence 
where the domain of the last trajectory w is a closed interval, define Istate() to be Istate(w). 


Finite, Admissible, and Zeno Timed Executions 


The timed executions and timed execution fragments of a timed automaton can be partitioned 
into finite, admissible, and Zeno timed executions and timed execution fragments. 
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A timed execution (fragment) © is defined to be finite, if it is a finite sequence and the 
domain of the last trajectory is a closed interval. A timed execution (fragment) © is admissible 
if Itime(%) = oo. Finally, a timed execution (fragment) “ is Zeno if it is neither finite nor 
admissible. 

There are basically two types of Zeno timed executions: those containing infinitely many 
occurrences of non-time-passage actions but for which there is a finite upper bound on the 
times in the domains of the trajectories, and those containing finitely many occurrences of 
non-time-passage actions and for which the domain of the last trajectory is right-open. Thus, 
Zeno timed executions represent executions of a timed automaton where an infinite amount of 
activity occurs in a bounded period of time. (For the second type of Zeno timed executions, the 
infinitely many time-passage steps needed to span the right-open interval should be thought 
of as an “infinite amount of activity”.) 

There are idealized processes that naturally exhibit Zeno behaviors. As an example consider 
a ball that bounces on the floor and loses a fraction of its energy at each bounce. Ideally the 
ball will bounce infinitely many times within a finite amount of time. Note, however, that 
our timed automaton model cannot suitably describe this process since there is no way of 
specifying what happens after the ball stops bouncing. Fortunately, Zeno behaviors do not 
occur in the systems we are interested in describing. 

From now on, the focus will be on admissible timed executions since these executions 
correspond to the intuition that time is a force beyond control that happens to approach 
infinity. However, according to the definition of timed automata, it is possible to specify timed 
automata for which from some states no admissible timed executions fragments are possible. 
In particular, such a state may only allow a Zeno timed execution, or it may prevent time from 
advancing at all (in which case a time deadlock has occurred). 

Denote by ¢-frag*(A), t-frag™(A), t-frag’(A), and t-frag(A) the sets of finite, admissible, 
Zeno, and all timed execution fragments of A. Similarly, denote by t-exec*(A), t-exec™(A), 
t-exec“(A), and t-exec(A) the sets of finite, admissible, Zeno, and all timed executions of A. 


A finite timed execution fragment /, = woajw,---d,W, of A and a timed execution fragment 
Mo = WW) dn41Wn41dnpoWn42°+: of A can be concatenated if Istate(%,) = fstate(Ns2). The con- 
catenation, written ©, ~ No, is defined to be NY = wodywy +++ dn(Wn 7 W), dng iWn41Ang2Wnge t's 
where w~ w(t), for any functions w and w’ from intervals of time to states(A), is defined to be 
w(t) if tis in dom(w), and w(t) if ¢ is in dom(w’) \ dom(w). It is easy to see that U is a timed 
execution fragment of A. 

The notion of timed prefix, called t-prefix, for timed execution fragments is defined as 
follows. A timed execution fragment ©, of A is a t-prefiz of a timed execution fragment Me 
of A, written %, <; Mo, if either ©; = NM. or Ny is finite and there exists a timed execution 
fragment %) of A such that . = %,7 X}. Likewise, /, is a ¢-suffia of Ns if there exists a finite 
timed execution fragment such that My = ¥) 7 34. 

For a finite timed execution fragment “1 and a timed execution fragment “_. with %, <, Ne, 
define %. — %, to be the (unique) timed execution fragment 4 such that Ny = h,7 M4. 

The length of a timed execution fragment i expresses the number of visible and internal 
actions in %. Thus, even though ™ is admissible or Zeno (and thus not finite), its length might 
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be finite. Formally, define the length of © = woa;w,agwe--- as 


ip] 4 n if % is a finite sequence and ends in wy, 
oo if X is an infinite sequence 


The definition of ith prefix of M = woa,w,dgw.---, for all 0 <i < |X], is 
yi; = Wy yy 9 GW; 


Define % ot, read “S before t”, for all ¢ > ftime(%), to be the t-prefix of © that includes 
exactly all states with times not bigger than ¢. Formally, 


“if t> Itime(%) 
bots YY if t < Itime(%) and there exists ©” = wiai/wi/--- such that 
Y= Y/Y" and Itime(“) = t and |dom(wf)| > 1 


Likewise, define Sct, read “S after ¢”, for all ¢ < ltime(%) or all t < Itime(X) when & is finite, 
to be the t-suffix of © that includes exactly all states with times not smaller than t. Formally, 


“if t< ftime(S) 
Yet = YY if ¢t > fttme(S) and there exists &” = wiafwiy ---wi! such that 


Y= UM’ and ftime(d’) = t and |dom(wi’)| > 1 


Timed Traces 


In the untimed model automata are compared based on their traces. This turns out to be 
inadequate in the timed model as the following example illustrates. The example is a slight 
modification of an example in [LV91]. 


Example 4.2 


Let Idle be a timed automaton that lets time pass except that it performs a visible action a at 
time 50. More specifically, let the state set be T x {true, false} with the initial state (0, true), 
and let the steps be 


((4,6),v,(¢,6)) if t<t A (b= true = t < 50), and 
((50, true), a, (50, false)). 
Then let idle’ be the timed automaton that performs a at time 50 but also performs an 


internal action 7 at time 37. Thus, the state space is T x {true, false} x {true, false}, initially 
(0, true, true), and let the steps be 


((4, 61, 62), ,(t, 61, 62)) if t<t’ A (6; = true = t < 37) A (be = true = t' < 50), 
((37, true, true), 7, (37, false, true)), and 
((50, false, true), a, (50, false, false)). 


Then Idle and Idle’ do not have the same traces. In particular, Idle has a trace va that is 
not a trace for Idle’. (Idle’ has a trace v va since it cannot let time pass to 50 in one step.) 
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This clearly contradicts the intuition about timed automata. Seen from “the outside” they 
both wait until time 50 and then perform a. The example explains why traces are not a good 
basis for comparing timed automata. 

Note, that making v internal would not solve the problem. In that case, a timed automaton 
that performs a at time 10 would have the same traces (namely a) as a timed automaton that 
performs a at time 50. | 


The problem in Example 4.2 arises because of the invisible nature of time-passage actions. 
This leads to tamed traces, which consist of the visible actions together with their time of 
occurrence. 


Timed Sequence Pairs 


A timed sequence over a set Kv is defined to be a (finite or infinite) sequence 6 over A x T in 
which the second components of every pair (the t#me components) are nondecreasing. Define 
6 to be Zeno if it is infinite and the limit of the time components is finite. For any nonempty 
timed sequence 6, define ftime(é) to be the time component of the first pair in 6. 

As for timed execution fragments, the operators < and © are defined on timed sequences. 
Define 6 < ¢, for all t € T, to be the longest prefix 6’ of 6 such that all time components of 6’ 
are less than or equal to ¢. Similarly, define 6 ct, for all t € T, to be the longest suffix! 6’ such 
that all time components of 6’ are greater than or equal to ¢. 

A timed sequence pair over Ky is a pair y = (6,t), where 6 is a timed sequence over A’ and 
t € TU {oo}, such that t is greater than or equal to all time components in 6. Let seq(y) 
and Itime(y) denote the two respective components of y. Then define ftime(y) to be equal 
ftime(seq(y)) in case seq(y) is nonempty, and equal to Itime(7) otherwise. Denote by tsp( Iv) 
the set of timed sequence pairs over kK. A timed sequence pair y is said to be finite if both 
seq(y) and Itime(y) are finite, and admissible if seq(y) is not Zeno and Itime(7) = ov. 


Timed Traces of Timed Automata 


Let = wodjW,dow.--- be a timed execution fragment of a timed automaton A. For each 
a;, define the time of occurrence t; to be ltime(w,;_1), or equivalently, ftime(w;). Then, define 
t-seq(&) to be the sequence consisting of the actions in ¥ paired with their time of occurrence: 


t-seq(X) = (a1, ty) (do, ta) ++ 
Then ¢t-trace(%), the timed trace of %, is defined to be the timed sequence pair over vis( A) 
t-trace(©) = (t-seq(S) f (vis(A) x T), ltime(S)). 


Thus, t-trace() records the occurrences of visible actions together with their time of occur- 
rence, and the limit time of the timed execution fragment. A timed trace suppresses both 
internal and time-passage actions. 


Strictly speaking, the suffix obtained by removing the shortest prefix. 


33 


Let t-traces*(A), t-traces™(A), t-traces*(A), and t-traces( A) denote the sets of timed traces 
of A obtained from finite, admissible, Zeno, and all timed executions of A, respectively. 
Relationships Between Timed and Untimed Execution Fragments 


There is a close relationship between timed execution fragments and ordinary execution frag- 
ments of a timed automaton. This leads to an alternative, but equivalent, definition of timed 
traces. All definitions and lemmas are taken from [LV93b]. 

Sampling 


Roughly speaking, an (ordinary) execution fragment can be regarded as “sampling” the state 
information in a timed execution fragment at a countable number of points in time. Formally, 
we say that an execution fragment @ = s9415,d98_---of A samples a timed execution fragment 
M = Wobiw,bow.--- of A if there is a monotone increasing function f : No — No such that the 
folowing conditions are satisfied. 


1. f(0) =0, 

2. b; = ay) for alla > 1, 

3. a; = v for all 7 not in the range of f, 

4. For all 2 > 0 such that w; is not the last trajectory in %, 


(a) 5; € rng(w) for all j, fli) <7 < fG4D, 
(b) s7().now = ftime(w;), and 

(c) Sf(41)-1-now = Itime(u;). 
5. If w; is the last trajectory in %, then 


(a) s; € rng(w;) for all 7, f(2) <j, 


S>(j).now = flime(w;), and 


roN oo 
a om 
Ne 


sup{s;.now | f(i) < gj} = ltime(u;). 


In other words, the function f in this definition maps the (indices of) actions in © to corre- 
sponding (indices of) actions in a, in such a way that exactly the non-time-passage actions 
of a are included in the image. Condition 4 is a consistency condition relating the first and 
last times for each non-final trajectory to the times produced by the appropriate steps of a. 
Condition 5 gives a similar consistency condition for the first time of the final trajectory (if 
any); in place of the consistency condition for the last time, there is a “cofinality” condition 
asserting that the times grow to the same limit in both executions. 

The following two straightforward lemmas show the relationship between timed execution 
fragments and ordinary execution fragments. 


34 


Lemma 4.3 


Let A be a timed automaton. If a is an execution fragment of A, then there is a timed 
execution fragment % of A such that a samples &. | 


Lemma 4.4 


Let A be a timed automaton. If % is a timed execution fragment of A, then there is an 
execution fragment a of A such that a samples &. | 


Define a state s to be t-reachable in timed automaton A provided that there is a finite timed 
execution / such that Istate(X) = s. The following lemma shows that t-reachability can 
equivalently be defined by means of ordinary executions. 


Lemma 4.5 


State s is t-reachable in A iff it is reachable in A. 
Proof. Straightforward using Lemmas 4.3 and 4.4. | 


An important consequence of Lemma 4.5 is that any technique that can prove that a property 
holds for all final states of finite (ordinary) executions is a sound technique for proving that 
a property holds in all t-reachable states of a timed automaton. Most importantly, induction 
on the steps of ordinary executions is sound in this sense. Conversely, any technique that can 
prove that a property holds for all t-reachable states also proves that it holds for all reachable 
states. 


Finite, Admissible and Zeno Execution Fragments 


An execution fragment a is finite if it is a finite sequence. In the timed model, an execution 
fragment a is defined to be admissible if there is no finite upper bound on the now values of 
the states in a. Finally, an execution fragment is said to be Zeno if it is neither finite nor 
admissible. 


Lemma 4.6 
If a samples i then 
1. a is finite iff i is finite, 
2. a is admissible iff % is admissible, and 


3. a is Zeno iff i is Zeno. | 
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Timed Traces 


It is possible to give a sensible definition of the timed trace of an ordinary execution fragment 
of a timed automaton. Namely, suppose a = 59@1 8 ,@25---is a execution fragment of a timed 
automaton A. First, define [time(a) to be the supremum of the now values of all the states 
in a. Then let 6 be the sequence consisting of the actions in a paired with their times of 
occurrence: 


6 = (a1, 5;.n0w)( dz, S82.now) +++. 
Then t-trace(a), the timed trace of a, is defined to be the pair 
t-trace(a) = (6 [ (vis(A) x T), ltime(a)) 


The following lemma shows that the definitions of timed traces for execution fragments and 
timed execution fragments are properly related: 


Lemma 4.7 


If a samples i then t-trace(a) = t-trace(X). = 


4.2 Live Timed Automata 


The notion of live timed automaton is now introduced. The definition is similar to the definition 
of a live automaton in the untimed model (Definition 3.2) except for the fact that the liveness 
condition is a set of timed executions. 


Definition 4.8 (Live timed automaton) 


A timed liveness condition L for a timed automaton A is a subset of the timed executions of 
A such that any finite timed execution of A has an extension in L. Formally, L C t-erec(A) 
such that for all © € t-exec*(A) there exists a ’ € t-frag(A), such that U7 b’ € L. 

A live timed automaton is a pair (A, L), where A is a timed automaton and L is a timed 
liveness condition for A. The timed executions of / are called the live timed executions of A. 
| 


4.3 Safe Timed I/O Automata 


Definition 4.9 (Safe timed I/O automaton) 


A safe timed I/O automaton is a timed automaton augmented with a visible action signature, 
vsig( A) = (in(A), out(A)), which partitions vis(A) into input and output actions. A must be 
input-enabled. 

The internal and output actions of a safe timed I/O automaton A are referred to as the 
locally-controlled actions of A, written local( A). Thus, local(A) = int(A) U out( A). = 
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Parallel composition of safe timed I/O automata is defined similarly to the corresponding 
definition for the untimed model (Definition 3.4). However, the time-passage steps and the 
now mappings of the component safe timed I/O automata need special treatment. Specifically, 
time is only allowed to pass by a certain amount in the composition if all components allow 
the same amount of time to pass. Also, the state space of the composition consists of all states 
in the cartesian product of the component state spaces where the component states have the 
same now values. Thus, the components must agree on the time. The now mapping of the 
composition is then defined to be the now mapping of any of the components. 


Definition 4.10 (Parallel composition) 


Safe timed I/O automata A,,...,Ay are compatible if for all 1 < i,j < N with i # j, the 
following conditions hold: 


1. out(A;) M out(A;) = 0 
2. int(A;) M acts(A;) = 0 
The parallel composition A,||---||Ay of compatible safe timed I/O automata A,,..., Ay is the 


safe timed I/O automaton A such that 
1. states(A) = {(51,...,5y) € states(A,) X--+- x states(Ay) | 51.now,, = +++ = Ssy.now,,} 
2. start(A) = start(A,) x +--+ x start(An) 
3. (51,...,5y).now, = $;.now,, (= S2.now,4, = ++: = sn.now,,) 
4. out( A) = out(A,) U---U out(Ay) 
5. in(A) = (in(A,) U-++U in(Ay)) \ out( A) 
6. int( A) = int(A,) U---U int( Ay) 
7. ((51,.--,5n),@,(S),--+58y)) € steps(A) iff for all 1<i< N 
(a) if a € acts(A;) then (s;, a, s,) € steps( A;) 


(b) if a € acts(A;) then s; = s} = 


Note, how Condition 7 of the definition captures both time-passage steps (where all components 
participate) and other steps (where a subset of the components participate). 

Lemma 3.5 carries over to the timed case. However, a new definition of projection is needed 
for timed executions. Specifically, let A = A,||---||Ay. For any function w from an interval 
of time to states(A), define w| A; to be obtained from w by projecting every state in the range 
of w to A;. Let S = wod,w dow. --- be an alternating sequence of functions from intervals of 
time to states(A) and actions from acts(A) \ {v} such that © does not end in an action if it is 
a finite sequence. Then the projection “[A; of © onto A; is obtained by projecting each w, of 
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onto A;, removing each action a; that is not an action of A;, and concatenating each pair of 
(projected) functions w;,, w,y4, whose interleaved action is removed. 

The following lemma relates the timed executions of a composed timed automaton with 
those of the component timed automata. 


Lemma 4.11 


Let A = Aj||---||An. Let S = woaiwidgw.--- be an alternating sequence of functions from 
intervals of time to states(A) and actions from acts(A) \ {v} such that % does not end in an 
action if it is a finite sequence, the domain of each function w,; that is not the last function of & 
is closed, and, if % is a finite sequence, the domain of the last function of & is left closed. Let 
consistent() be the predicate that is true iff for each A; and each j such that a; € acts(A,), 
Istate(w;_1)[A; = fstate(w;)|A;. Then, 


1. consistent(X) and X[A; € t-exec*(A;), for all A;, iff % € t-exec*(A). 


2. consistent(X) and S| A; € t-exec®(A;), for all A;, iff Si € t-exec™(A). 


( 
( 
3. consistent(©) and O[ A; € t-erec*(A;), for all A;, iff % € t-erec?(A). 
4. consistent() and %i[A; € t-exec(A;), for all A;, iff Xi € t-exec( A). 

) 


If % € t-exec( A) then, for alli, ltime(%) = ltime(X[A;). = 


We now turn attention to the timed versions of action hiding and action renaming. The only 
changes from the untimed model are the handling of the now component and the fact that the 
time-passage action, v, may not be renamed. 


Definition 4.12 (Action hiding) 


Let A be a safe timed I/O automaton and let A be a set of actions such that A C local(A). 
Then define A \ A to be the safe timed I/O automaton such that 


1. states(A\ A) = states(A) 
2. start(A \ A) = start(A) 

3. noWa\, = Nowa 

A. in(A\ A) = in(A) 

5. out(A\ A) = out(A)\ A 

6. int(A\ A) = int(A)UA 

7. steps(A\ A) = steps(A) 7 
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Lemma 4.13 
Let A be a safe timed I/O automaton and let A be a set of actions such that A C local(A). 


Then 


1. 


t-exec*(A \ A) = t-exec*( A) 


2. t-evec™(A \ A) = t-exec®(A) 


3. t-exec”(A \ A) = t-exec*(A) 


4. 


t-exec( A \ A) = t-exec( A) = 


Definition 4.14 (Action renaming) 


A mapping p from actions to actions is applicable to a safe timed I/O automaton A if it is 
injective, acts(A) C dom(p), and p(v) = v. Given a safe timed I/O automaton and a mapping 
p applicable to A, define p(A) to be the safe timed I/O automaton such that 


1. 


2. 


3. 


states(p(A)) = states( A) 
start(p(A)) = start( A) 


NOW pA) = NOW A 


steps(p(A)) = 1(s, p(a), 8’) | (s,4, 8") € steps(A)s 7 


Lemma 4.15 


Let A be a safe timed I/O automaton and p be a mapping applicable to A. For any timed 
execution %i of A, let p(X) denote the sequence obtained by replacing each occurrence of every 
action a in by p(a), and for any set L of timed executions of A, let p(L) = {p(=) |S € L}. 


Then 
1. 
2, 
3. 


4. 


t-exec*(p(A)) = p(t-exec*( A)) 
t-exec™(p(A)) = p(t-exec™(A)) 
t-exec” (p(A)) = p(t-exec*(A)) 


t-exec( p(A)) = p(t-exec(A)) = 
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4.4 Live Timed I/O Automata 


In order to define live timed I/O automata, the notion of environment-freedom is generalized 
to timed systems. As for the untimed model a live timed I/O automaton is environment-free 
if it can behave properly independently of the behavior of the environment. Specifically, a 
game is set up between a timed automaton and its environment and the timed automaton is 
environment-free iff it has a winning strategy against its environment. 

The notion of strategy is similar to the one used for the untimed model. However, the 
presence of time has a strong impact on the type of interactions that can occur between a 
timed automaton and its environment. 

In the untimed model the environment is allowed to provide any finite number of input 
actions at each move, and the system is allowed to perform at most one of its locally-controlled 
actions at each move. Thus, the fact that the environment can be arbitrarily fast with respect 
to the system, but not infinitely fast, is reflected in the structure of the environment moves. 
This structure is not needed in the timed model since actions in the timed model are associated 
with specific times. In particular, the relative speeds of the system and the environment are 
given directly by their timing constraints. The behavior of the environment during the game 
can be represented simply as a timed sequence over input actions. 

In the untimed model a strategy is not allowed to base its decisions on any future input 
actions from the environment. In the timed model, not only is the strategy not allowed to 
know about the occurrence of future input actions, but the strategy is also not allowed to 
know anything about the taming of such input actions, e.g., that no inputs will arrive in the 
next € time units. Thus, if a strategy in the timed model decides to let time pass, it is required 
to specify explicitly all intermediate states. By specifying all states at intermediate times for a 
time-passage step, the current state of the system will always be known should the time-passage 
step be interrupted by an input action. 

As in the untimed model, a strategy in the timed model is a pair of function (g, f). Function 
f takes a finite timed execution and decides how the system behaves till its next locally- 
controlled action under the assumption that no input are received in the meantime; function 
g decides what state to reach whenever some input is received. 


Definition 4.16 (Strategy) 


Consider any safe timed I/O automaton A. A strategy defined on A is a pair of functions 
(g, f) where g : t-erec*(A) x in(A) — states(A) and f : t-exec*(A) — (traj(A) x local(A) x 
states(.A)) U traj(A), where traj(.A) denotes the set of A-trajectories, such that 


1. g(X,a) = s implies Na{s} € t-erec*(A) 
2. f(%) = (w,a,s) implies 4 ~ wa{s} € t-erec*(A) 
3. f(%) =w implies & 7 w € t-exec™( A) 


A. f is consistent, i.e., if f(%) = (w,a,s), then, for each t, ftime(w) < t < Itime(w), 
f(]2"7 wot)) = (wet,a,s), and, if f(©) = w, then, for each t, fttme(w) < t < Itime(w), 
f(]r(wot)=wet. 
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For notational convenience define f(X).trj = ~ iH Hs 7 _ 4,8) 


Condition 1 of Definition 4.16 states that g returns a “legal” next state given an input. Con- 
ditions 2 and 3 state the two possible system moves given by f: either f specifies time-passage 
followed by a local step, or f specifies that the system simply lets time pass forever. Note 
that f specifies all states during time passage. The consistency condition (Condition 4) for f 
says that, whenever after a finite timed execution the system decides to behave according to 
wa{s} or w, after performing a part of w the system would decide to behave according to the 
rest of wa{s} or w. In other words, a strategy decision cannot change in the absence of some 
inputs. The consistency condition is required for the closure of the composition operator. 

The game between the system and the environment works as follows. The environment can 
provide any input at any time, while the system lets time pass and provides locally-controlled 
actions based on its strategy. It is very important for the system moves not to be based on the 
future moves of the environment. Specifically, at any point in time the system decides its next 
move using function f. If an input comes, the system will perform its current step just until 
the time at which the input occurs, and then use function g to compute the state reached as 
a result of the input. 

A new problem arises when the system decides to perform an action at the same time 
at which the environment is providing some input. Our model does not rule out such race 
conditions. Practical examples of such situations arise whenever the system has some timeout 
mechanism and the input occurs exactly when the timeout period expires. The race conditions 
are modeled as nondeterministic choices. As a consequence, the outcome, i.e., the result of the 
game, for a timed strategy is a set of timed executions. 

The following definition of the outcome of a strategy for safe timed I/O automata closely 
parallels the corresponding definition in the untimed model. 


Definition 4.17 (Outcome of a strategy) 


Let A be a safe timed I/O automaton and (g, f) a strategy defined on A. Define a timed 
environment sequence for A to be a timed sequence over in( A), and define a timed environment 
sequence Z for A to be compatible with a timed execution fragment © of A if either Z is 
empty, or © is finite and Itime(X) < ftime(Z). Then define Ry, ;), the next-relation induced by 
(g, f), as follows: for any U,b’ € t-exec(A) and any Z,Z’ compatible with \, \’, respectively, 
(2,2), (25 2)) € Rog,s) iff 


Al 


(U7 wats}, Z) where » is finite, Z =e, f(X) = (w,a,s), 
(U7 w,TZ) where ™ is finite, Z =e, f(%) =o, 


(SU wat{s},Z) where ™ is finite, Z = (6, t)Z", f(4) = (w,a,s), 
(YZ) = ltime(w) < ft, 


(U7 w'a{s'}, 7") where © is finite, Z = (a,t)Z", f(X).tr7 =, 
ltime(w) >t, w =wot, g(h7w’,a)=s', or 


(,Z) where © is not finite. 


Let ¥ bea finite timed execution of A, and Z be a timed environment sequence for A compatible 
with &. 


An outcome sequence of (g, f) given % and T is an infinite sequence (X",Z”),>0 that satisfies: 


e (°, 2°) = (%,Z) and 


e for all n > 0, ((2"7', 2°"), (U",Z")) € Ry fy. 


Note, that (%"),>0 forms a chain ordered by t-prefix. 


The outcome Or,,;)(U,Z) of the strategy (g, f) given & and Z is the set of timed executions 
\’ for which there exists an outcome sequence (Y”,Z"),>0 of (g, f) given 4 and Z such that 
XY = lim, &”. | 


The set of outcome sequences of (g, f) given some % and Z is determined step by step using 
the next-relation R,,,,). In the definition of Rigs), the first, second, and third cases deal with 
different situations in which no input occurs during the system move chosen by f. The fourth 
case takes care of the situation in which inputs do occur during the system move chosen by f. 
Note, that the third and fourth cases may both be applicable whenever the next input action 
of Z and the local action chosen by f occur at the same time. This is why the outcome is a 
set of timed executions. Finally, the fifth case is needed for technical convenience, since the 
second case generates an admissible timed execution. 

The following lemma states that an outcome set is never empty and that an element of 
an outcome cannot be finite. Furthermore, if an element of an outcome is Zeno, it contains 
infinitely many actions (other than the implicit time-passage actions). 


Lemma 4.18 


Let A be a safe timed I/O automaton, (g, f) a strategy defined on A, % a finite timed execution 
of A, and T a timed environment sequence for A compatible with S. Then Ovgp(%,Z) # 9 
and Ovy,p(3,Z) © (texec(A) U t-erec*(A)). Furthermore, if X! € Opys)(2,Z) and X’ € 
t-exee”(A), then |X’ [ acts(A)| = oo. 
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Proof. Let Ri, >) be the next-relation induced by (g, f). Construct an outcome sequence 
of (g, f) given % and Z inductively as follows. Define (©°,7°) = (©,Z). For any n > 0, 
assume (U"~',Z"~') has been defined. Then it is easy to see that the condition of at least 
one case in the definition of Ri, ;) is satisfied. Thus, define (©”",Z”) to be any pair such that 
((u"- 1, Z"-!),(5",2")) € Reg py). This inductively defined outcome sequence gives rise to an 
element in Oy, ;)(%,Z). That proves that Or,,;)(4,Z) is not empty. 


Now, let (5",Z”) be an arbitrary outcome sequence of (g, f) given © and Z. Clearly, 4° = % € 
t-exec( A). Now assume, that ©” € t-exec( A). Then, by the four conditions of Definition 4.16, 
it is easy to see that also U"t! € t-exec( A). Thus, by induction, ©" € t-exec( A) for all n > 0. 
Now, assume ¥’ = lim, ...(%") ¢ t-exec(A). Then there must be a finite ¢-prefix %” of &’ such 
that &” ¢ t-erec*(A). Also, &” must be a ¢-prefix of &" for some n. However, this contradicts 
the fact that ©” € t-erec( A). Thus, %’ € t-exec( A). 

Now, assume that \’ is finite. Then there exists a number n’ such that for all n > n’, 4" = 
“7! = NY’, but this contradicts the definition of Ry, r). Thus, Ory p)(4,Z) C (t-exec™(A) U 
t-exec”(A)) 

Finally, it is easy to see that if ’ € t-erec*(A), then X’ is an infinite sequence of trajectories 
and actions. Only the second case in the definition of Ry,;) can lead to a finite sequence, but 
in this case the outcome will be admissible (cf. Definition 4.16 Condition 3). This proves the 
final part of the lemma. | 


Another problem due to the explicit presence of time in the model is the capability of a system 
to block time. Under the reasonable assumption that it is natural for a system to require that 
time advances forever, a timed automaton that blocks time cannot be environment-free. Thus, 
we could assume that finite and Zeno timed executions are not live and that the environment 
cannot block time. However, as is illustrated in the following example due to Lamport, Zeno 
timed executions cannot be ignored completely. 


Example 4.19 


Consider two safe timed I/O automata A, B such that in(A) = out(B) = {b} and out(A) = 
in(B) = {a}. Let A start by performing its output action a and let B start by waiting for 
some input. Furthermore, let both A and B reply to their n‘® input with an output action 
exactly 1/2” time units after the input has occurred. 

Consider the following definition of environment-freedom, which assumes that the environ- 
ment does not behave in a Zeno manner: a pair (A, LZ) is environment-free iff there exists a 
strategy (g, f) defined on A such that for each finite timed execution © of A and any admissible 
timed environment sequence Z for A compatible with % we have Oig,s)(%:,Z) C L. Then it is 
easy to observe that, if £4, and Lg are defined to be the set of admissible timed executions 
of A and B, respectively, the pairs (A, £4) and (B, Lg) are environment-free. However, the 
parallel composition of A and B yields no admissible executions, rather it only yields a Zeno 
timed execution, which blocks time. Thus, the parallel composition of (A, £4) and (B, Lg) 
constrains the environment. Observe that (A, £4) and (B, Lg) “unintentionally” collaborate 
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to generate a Zeno timed execution: each pair looks like a Zeno environment to the other. 


To eliminate the problem of Example 4.19 one must ensure that a system does not collaborate 
with its environment to generate a Zeno timed execution. We call Zeno-tolerant those timed 
executions where such a collaboration does not arise. 


Definition 4.20 (Special types of timed executions) 
Given a safe timed I/O automaton A, and given a timed execution © of A, 


e is said to be environment-Zeno if % is a Zeno timed execution that contains infinitely 
many input actions; 


e “is said to be system-Zeno if % is a Zeno timed execution that either contains infinitely 
many locally-controlled actions or contains finitely many actions; 


e % is said to be Zeno-tolerant if it is an environment-Zeno, non-system-Zeno timed exe- 
cution; equivalently, © is Zeno-tolerant if 
1. Itime(™) is finite, 
2. % contains infinitely many input actions, and 


3. % contains finitely many locally-controlled actions. 


Denote by t-erec*'(A) the set of Zeno-tolerant timed executions of A. a 


A Zeno-tolerant strategy guarantees that the system never chooses to block time in order to 
win its game against the environment. That is, a Zeno-tolerant strategy produces Zeno timed 
executions only when applied to a Zeno timed environment sequence 7, and in these cases the 
outcome is Zeno-tolerant. Thus, the system does not respond to Zeno inputs by behaving in a 
Zeno fashion. 


Definition 4.21 (Zeno-tolerant strategy) 


A strategy (g, f) defined on a safe timed I/O automaton A is said to be Zeno-tolerant if, for 
every finite timed execution © € t-exec*(A) and every timed environment sequence Z for A 
compatible with ©, Ocy,,(L,Z) C texec™(A) U t-exec”'( A). = 


Now the definition of environment-freedom for the timed model is possible. 


Definition 4.22 (Environment-freedom) 


A pair (A, L) where A is a safe timed I/O automaton and L C t-exec(A) is environment-free iff 
there exists a Zeno-tolerant strategy (g, f) defined on A such that for each finite timed execution 
X of A and each timed environment sequence Z for A compatible with , Oy ,)(%,Z) C L. 
The pair (g, f) is called an environment-free strategy for (A, L). a 
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A pair (A,Z) is environment-free if, after any finite timed execution and with any (Zeno 
or non-Zeno) sequence of input actions, it can generate some admissible or Zeno-tolerant 
timed execution in A. Also, A must never generate one of its finite or system-Zeno timed 
executions, since it would constrain its environment in this case. Thus liveness conditions 
should not include any finite or system-Zeno timed execution. Zeno-tolerant timed executions 
are used only to handle illegal interactions, and therefore also should not be included in liveness 
conditions. This leads to the definition of live timed I/O automata, where the liveness condition 
contains only admissible timed executions, but the strategy is allowed to yield Zeno-tolerant 
outcomes when given a Zeno timed environment sequence. 


Definition 4.23 (Live timed I/O automaton) 


A live timed I/O automaton is a pair (A,L), where A is a safe timed I/O automaton and 
L C t-erec®(A), such that the pair (A, LU t-exec*'(A)) is environment-free. = 


Lemma 4.24 
If (A, L) is a live timed I/O automaton, then L is a timed liveness condition for A. 


Proof. Given a finite timed execution “ of A, consider an environment-free strategy (4g, f) 
for (A, L U tevec*'(A)). Consider any timed execution U7! € Oy.p(U,¢). Such a timed 
execution exists according to Lemma 4.18. The timed execution © ~ X’ is not Zeno-tolerant 
since it contains finitely many input actions. Therefore ~ \’ is a timed execution of J, i.e., 
scan be extended to a timed execution of L. | 


As in the untimed model, the parallel composition, action hiding, and action renaming opera- 
tors defined for safe timed I/O automata are extended to live timed I/O automata. 


Definition 4.25 (Parallel composition) 


Live timed I/O automata (Aj, £1),...,(An, Ly) are compatible iff the safe timed I/O automata 
Aj,,...,Ay are compatible. 


The parallel composition (A,, £,)||---||(An, Ly) of compatible live timed I/O automata 
(Ai, £1),...,(An, Ly) is defined to be the pair (A, ) where A = A, ||---|/Ay and L = {XY € 
t-exec(A)| “[A, € y,..., [An € Ly}. = 


The restriction of the parallel composition operator to finitely many components can now be 
justified with the following example. 


Example 4.26 


Let {(Aj, £;)}is0 be a family of infinitely many live timed I/O automata such that each safe 
I/O automaton A; has a unique distinct output action a; which executes at time 1, and JL; 
is the set of admissible executions of A;. The parallel composition ||,,,(A;,.£;) exhibits finite 
or Zeno timed executions only since it can never reach a time greater than 1. Specifically, 
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infinitely many actions, i.e., the set {a;};>0, must be executed at time 1. Thus ||;, (Ai, Z,) 
cannot be an environment-free pair. | 


Definition 4.27 (Action Hiding) 


Let (A, L) be a live timed I/O automaton and let A be a set of actions such that A C local(A). 
Then define (A, LZ) \ A to be the pair (A \ A, L). = 


Definition 4.28 (Action Renaming) 


A mapping p from actions to actions is applicable to a live timed I/O automaton (A, L) if it 
is applicable to A. Let © be a timed execution of (A, 1). Define p(X) to be the sequence 
that results from replacing each occurrence of every action a in / by p(a). Given a live 
timed I/O automaton and a mapping p applicable to (A, L), define p((A, L)) to be the pair 


(p(A), {p(2) | E € LF). = 


As expected, the three operators above are closed for live timed I/O automata in the sense 
that they produce a new live timed I/O automaton. As for the untimed model, this is easy to 
prove for action hiding and renaming, but fairly complicated for parallel composition. 


Proposition 4.29 (Closure of action hiding) 


Let (A, L) be a live timed I/O automaton and let A C local( A). Then (A, L)\ A is a live timed 
I/O automaton. 


Proof. Let (Ay, Ly) = (A,L£)\A, ie., (Ag, La) = (A\ A, £) by Definition 4.27. From Defini- 
tion 4.12 A, is a safe timed I/O automaton. Furthermore, Lemma 4.13 gives t-erec™(A,) = 
t-exec”(A). Therefore Ly C t-exec®(A,) as required by the definition of live timed I/O 
automata (Definition 4.23). 

To show that the pair (Ay, LZ, U Li), where Li, = t-exec*‘(Aq), is environment-free, it 
suffices to note that any environment-free strategy for (A, ZU L’), where L’ = t-exec”'(A), 
is also an environment-free strategy for (Ay, Ll, U L,). In fact the hiding operator simply 
changes some output actions into internal actions. The remaining structure of a live timed 
I/O automaton, including its set of locally-controlled actions, is not affected. | 


Proposition 4.30 (Closure of action renaming) 


Let (A, L) be a live timed I/O automaton and let p be a mapping applicable to (A, L). Then 
p((A, L)) is a live timed I/O automaton. 


Proof. Consider any timed execution % of (A,L). Let p(X) be the sequence obtained by 
replacing each occurrence of every action a in © by p(a). If S is a set of timed executions of 
(A, L), let p($) = {p(S) |S € S}. 

Let (A,,L£,) = p((A,£)), ie, (Ap, £,) = (p(A), e(L)) by Definition 4.28. From Defini- 


tion 4.14 A, is a safe timed I/O automaton. Furthermore, Lemma 4.15 gives t-erec™(A,) = 
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p(t-exec”(A)). Therefore, since L C t-exec™(A), L, C t-exec(A,) as required by the defini- 
tion of live timed I/O automata (Definition 4.23). 

Let L' = t-erec*'( A) and let (g, f) be an environment-free strategy for (A, LUL’). Further- 
more, let L’, = t-erec**(A,). Then Lemma 4.15 and the fact that p maps local(A) to local( A,) 
and in(A) to in(A,) implies that L’, = p(L’), which in turn implies L,U Li, = p(L UL’). Now, 
define a strategy (g,, f,) for A, as follows: 


Gol P(™), pla) = gO,a) 


fle) = (oralahe) £1) = lea.) 


It is now trivial to verify that (g,, f,) is an environment-free strategy for (A,, 2, U L’,). Con- 
sequently, (A,, L,) is a live timed I/O automaton. a 


As in the untimed model, the proof of closure of the parallel composition operator is consid- 
erably more complicated than the proof of closure for action hiding and action renaming. For 
compatible live timed I/O automata (Ay, [1),...,(An, Ly), let (A, L) denote the parallel com- 
position (A;,£,)||---||(An, Ly). In order to prove that (A, L) is a live timed I/O automaton 
one must show that (A, LU t-exec**(A)) is environment-free, which, in turn, requires finding 
an environment-free strategy for (A, L U t-exec*"(A)). 

The proof proceeds by first defining a strategy (g, f) for (A, L) based on a strategy (g;, fi) 
for each (A;, L; U t-erec**(A;)), and then proving that (g, f) is an environment-free strategy 
for (A, LU t-erec*'(A)). 

Function g computes, given input a, the next state according to the g; functions of those 
components of A for which a is an input action, and simply leave the state unchanged for 
those components for which a is not an action. Function f determines, using each f;, which 
component wishes to execute the next locally-controlled action. Say this is the k** component 
and it wishes to perform action a at time ¢. Then each component A; evolves based on f; up 
to time ¢. Furthermore, at time ¢, A, takes a step based on f, and each A; for which a is an 
input action takes a step based on q;. 


Definition 4.31 (Parallel composition of (timed) strategies) 


Let A = Aj|]--:||Ay be the parallel composition of compatible safe timed I/O automata 
A,,...,Ay, and let (g;, f;), for each 1 <i< N, be a strategy defined on Aj. 
The parallel composition (91, f:)||---|l(gn, fv) of the strategies (gi, fi),.--, (gn, fv) is the pair 
of functions (g, f) 

g : t-exec*(A) x in( A) — states( A) 

fs t-exec*( A) — (traj(A) x local( A) x states(.A)) U traj(A) 
such that 

_ . J gf [Ai,a) for a € in(A;) 
g(%,a)=s where, forall l<i< N, s[A;= Istate(S)[A; for a € acts( Ay) 


AT 


and f is defined as follows: For all 1 <i< N, define w; to be f;(XJ[A;).trj7. Pick any k, say 
the smallest, such that Itime(w;) = min, <;<n(ltime(w;)). Define w such that 


ae Itime(w,) ifti#k 


The definition of f(%) has two cases. 
1. If fx(2[Ax) = (We, 4, Sx) then f(%) = (w, a, 8), 


where, for all 1 <i< N,s[A;= ¢ g((U7w)[Aj,a) ift#k and a € in(A;) 
Istate(w)| A; ifi#Ak and a ¢ acts(A;) 
2. If f,(2[A,) = w, then f(%) = w. = 
Lemma 4.32 
Let A,,..., Ay be compatible safe timed I/O automata and let, for each 1 <i< N, (g:, fi) be 
a strategy defined on Aj. Then (gi, fi)ll---|(gn. fy) #8 @ strategy defined on Ay||--+||An. 


Proof. Let (g,f) = (a. fi)|l---[(g, fv) and A = Aj|]---||Ay. To prove that (g, f) is a 
strategy defined on A, the four conditions of Definition 4.16 must be checked: 


1-3. Conditions 1-3 are trivial to check given the definitions of g and f, and the fact that, for 
all 2, (gi, f;) is a strategy defined on Aj. 


4. Consider the consistency condition of Definition 4.16. First assume, for an arbitrary 
b € t-exvec*(A), that f(X) = (w,a,s), and let ¢ be an arbitrary time such that ftime(w) < 
t < Itime(w). It must be shown that f(i 7 (w ot)) = (wet,a,s). 


Let & be such that f,(S[Az) = (we, a,5;,). This k exists by definition of f. Then, 
for all z, either f;(@[A;) = (4;, a;, 5;), with Itime(w;) > Itime(w,), or fi(Z[A;) = oy, 
with Itime(w;) = co > Itime(w,). For all 2, flime(w;) = ftime(w,). Thus, for all i, 
ftime(w;) < t < Itime(w;), so since f; is consistent 


fA(S[A)> (ei 20) = f(Br(w20))TAy) = eee Sey es 


Since by definition & is the smallest index such that léme(w,) = minycj<y 
and since Itime(w;) = Itime(w; © t), k is the smallest index such that ltime 
min, <j<n(ltime(w; © t)). 

Now, since f,((U7(wot))[A;) = ((w, et), a, s;,), the definition of f gives: f(U7(wot)) = 
(w’, a, 5’), where w’[A; = wet = (wet) A; which implies that w’ = wet, and s’ is defined 
as follows: s’[ A, = s, = 8[ Aj, s’[ A; = gi(((27* (w ot)) 7 w)[ Aj, a) = gi((2 7 w)[ Aj, a) = 
s[A; ift # k anda € in(A,), and s'[ A; = Istate((U7(wot))*w’)| A; = Istate(X7w)[ A; = 
s[A; if i #k and a ¢ acts(A;). Hence, for all 7, 5‘) A; = s[A;, which implies s’ = s. 


ltime(w;)) 


( 
( 
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Thus, (w’,a,s’) = (wet,a,s), which finally gives f(U7(wot)) = (wet,a,s), as required. 


In a similar fashion, it can be proved that if for arbitrary © € t-exec*(A), f(X) = w, then, 
for any flime(w) < t < Itime(w)(= oo), it is the case that f( 7 (w ot)) = (wet). 


This concludes the proof that (g, f) is a strategy defined on A. | 


The following lemma is the key lemma for showing that the strategy of Definition 4.31 is 
environment-free if the component strategies are environment-free. Specifically, up to a tech- 
nical condition, the projection of an outcome of (g, f) onto a component A; is an outcome of 
(g:, f;). Intuitively this means that even though the composed system uses its composed strat- 
egy to find possible outcomes, up to a technical restriction it still looks to each component as 
if it was using its own component strategy. The one restriction in the generality of the lemma 
stems from the following situation. If the system receives Zeno inputs that are not inputs to the 
ith component, then the 7th component observes that time is blocked even though the strategy 
for the ith component lets time pass forever. Thus, if an outcome of the composed system is 
Zeno, then the following lemma only applies to the components that perform infinitely many 
actions in the given outcome. Note that the inputs that the ith component “sees” are either 
inputs to the composed system or inputs from other components of the system. 


Lemma 4.33 


Let A,,..., Ay be compatible safe timed I/O automata and let, for each 1 <i< N, (g;, fi) be 
a strategy defined on A;. Let A = A,||--+||An and (g, f) = (gi. fidll---|lCgn, fr). 
Furthermore, let % be an arbitrary finite timed execution of A, Z be an arbitrary timed en- 
vironment sequence for A compatible with S, Xi’ be an arbitrary timed execution of Ocg,s)(%,Z), 
andi, with 1<i< N, be an arbitrary index such that if Xi’ is Zeno then |X’ f acts(A;)| = oo. 
Then there exists a timed environment sequence T; for A; compatible with Si[A;, such that 


UTA: € Oog,,f:)(2 Ai, Za). 


Proof. Definition 4.10 implies that A is a safe timed I/O automaton. Furthermore, by 
Lemma 4.32, (g, f) is a strategy defined on A. 

Let Rigs) and Riy, ¢,) be the next-relations induced by (g, f) and (g;, f;), respectively. Also, 
let (£",Z"),>0 be an outcome sequence of (g, f) given % and Z such that &’ = lim, X”. 
Since (Y”),>0 forms an infinite chain ordered by t-prefix and y® = Ly <, N’. Define 
T; = t-seq(X’—%) f(in(A;) xT). Then either Z; is empty or flime(Z;) > Itime(X) = ltime(N]A;). 
Thus, Z; is compatible with S[A;. 


Let No — No be the signature of a total, nondecreasing mapping m. Define m(n) inductively 
on n such that m(0) = 0 and either m(n) = m(n — 1) or m(n) = m(n — 1) +1 (for n > 
0). Simultaneously the induction defines (H?,Z?) and, if n > 0 and m(n) = m(n— 1) 4+1, 
(SY) TPM), Furthermore, the same induction, proves 


P1 S” is finite iff S" is finite. 
P2 ftime(f;(X2").trj) < ltime(E”) < Itime( fi(IP).trj) if UE is finite. 


a a 
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UM — (f(EP™). tr 2 time(U")) if UI” is finite 


yin) otherwise 


E otherwise 


P4 7m” = t-seq(X!’ — NI") | (in(A;) x T) if SI" is finite 


P5 Ifn>0 and m(n) = m(n—1)4 1 then (NPP, TP"—"Y), (LP TP) © Reg, 7). 


Intuitively, (~!,Z!) represents an outcome sequence of (g;, f;) given U[A; and Z;, and the 
mapping m associates each 4” with the first ©! such that ¥” [Ai <: yy. 

Note that all the statements are well-defined. For P3, when yin) is finite, the application 
of the < operator is well-defined since (g;, f;) is a strategy defined on A; and statement P2 
applies; for P4, when yin) is finite, &’ — &” is well-defined since by Pl %” is finite, and 
furthermore ©” <, %’ by definition. These observations are not repeated below. Finally, note 
that P5 is not needed in the induction step. P5 is included in the induction for convenience. 


Base case n = 0: 
Define: m(0) = 0 
yn) = ye (A; 


TP sT, 


P1 ¥° = ¥ is finite by definition. Since N° = y° [A;, Lemma 4.11 implies that also yn) 
is finite. 


P2 By Pl, =" is finite. Since N™ = ¥? [A; and ° = &, it is necessary to prove that 
ftime(fi(“[A,).tr7) < Uime(%) < Itime( f;(“]A;).tr7). From the fact that (g;, f;) is a 
strategy defined on A; and Lemma 4.11 conclude that ftime(f;([A;).tr7) = ltime(S), 
and since ftime( f;(X[A;).tr7) < Mtime( f;(%]A;).tr7), the result follows. 


P3 First note that ©") is finite. As in P2, ftime( f,(X2).trj) = ltime(S°). Thus, ¥°[A; = 


a 


wr) = yr) ~ ( £™) tng Itime(E")), as required. 


P4 First note that U7" is finite. Then 27) = Z, = t-seq(S! —%) | (in(A;) x T) = t-seq(S! — 
d°) | (in(A;) x T), as required. 


P5 Vacuously satisfied. 


Inductive step n > 0: 
Assume P1—P5 hold for all k < n. Consider cases: 


Case 1 %”"~! is not finite. 


Since ((U"7!,Z"-"),(U",Z")) € Ry py) and UL"! is not finite (U"~',Z"—!) = ("7"). 
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Define: m(n) = m(n—1)+1 
yin) _ yintn=t) 


qT) _ qm(n=1) 


P1 Since 5" =D"! and S™™ = N™"—Y the result follows from induction hypothesis 
Pi. 

P2 Since ” = ¥"-!, DY” is not finite and by P1 YN” is not finite. Thus, P2 is vacuously 
satisfied. 

P3 Again, since N” = U"-! and WM” = HY. and none of these timed executions 
are finite (by P1), the result follows from induction hypothesis P3. 

P4 As for P3 the result follows from an induction hypothesis; here P4. 

P5 Since S'"~”) is not finite, the result follows directly from the definition of 37”), 
rr” and Regs,fi): 


a 


Case 2 /"~! is finite and \” is not finite. 
Since ((U"71,Z"~"),(U",Z")) € Rey py), UP" is finite, and U”"~' is not finite, by Defini- 
tion 4.17, ©" = O"~!w, where w = f(E"-'), and J” =Z"-' =e. 
By induction hypothesis P1, Y7""~"? is finite. Thus 
wl Aj fi(2"""[ Aj) 
F(EPOnY > (f,(DPY).trj 2 Itime(N"!))) 


fi(EPO—Y) & Itime(ZP-!) 
where step | follows from definition of (g, f) (Definition 4.31) and the fact that Itime(w) = 
oo (because (g, f) is a strategy), step 2 follows from induction hypothesis P3, and step 3 


follows from consistency of f; (cf. Condition 4 of Definition 4.16). 


Ile [Jo [Je 


Define: m(n) = m(n—1)+1 
y(n) _oyym(n-1) 4 fi(Ume—Y) 
ren) _ ie 


P1 Neither ©" nor S””) are finite. 
P2 Vacuously satisfied. 
P3 Since ©") is admissible, prove that 5” [A; = yr”) Tn particular 


wpa; = ("1 ow) [Aj 
= (E""1[Aj) > (Wf Ai) 
5 (EPO 9 (F,(NPOWY) 9 Itime(E"“1))) > (wf Ay) 
Sym Da (FMD) 6 Itime(UP!)) > (f,(UM TY) © Itime(U"-")) 
Supe AEP”) 
Syn) 


a 
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where steps 1, 2, and 6 are trivial, step 3 follows from induction hypothesis P3, 
step 4 follows from the property of w[A; proved above, and step 5 follows from the 
definition of the operators © and c. 

P4 First note that ©”) is not finite and N7"\"~") is finite. Then 

ren) ie 

t-seq(X’ — N"~') [| (in(A;) x T) 

t-seq(&" — &"') f (in(A;) x T) 

t-seq(w) [ (in(A;) x T) 

E 
where steps 1, 4, and 5 are trivial, step 2 follows from induction hypothesis P4, and 
step 3 follows from the fact that 4” is admissible and thus a fixpoint in (U*),>0. 

P5 Since SI" is finite, 2”) = T™-Y) = e (by P4), and VM™ = ym - 
f(UP°—Y), the result follows from the second case in the definition of Rog,,p,) (Def- 
inition 4.16). 


Hor [Ps [fe [fe [PR 


Case 3 ”-! and ” are finite. 


The definition of Ri, 5) gives three cases to consider. (The first, third, and fourth cases 
in Definition 4.17.) Consider the first and third cases at the same time. 


Case 3.1 First and third cases. 
From definition of Ri.) note that 4" = U"~'~ wa{s}, f(2"7") = (w,a,s), and 


pte E or 
| (b,t)Z" with Itime(w) < t. 
In both cases J” = T"-?. 
Case 3.1.1 a ¢ acts(A;) 
Define: m(n) = m(n— 1) 
P1 Induction hypothesis P1 and the case assumptions imply that both &” and 
min) m1) are finite. 
P2 Since 47" is finite, we must prove that ftime(f;(U7"”).trj) < ltime(U") < 
Itime( fi”). trj). 
The first inequality holds by induction hypothesis P2 and the facts that 
yr) = y=) and Itime(E") > Itime(U"-!). 
For the second inequality 


ltime(X”) ltime(w) 


Ho [lo Ts HelAs [le 


where steps 1 and 6 is trivial, step 2 follows from definition of (g, f) (cf 
Definition 4.31), step 3 follows from induction hypothesis P3, step 4 follows 
from consistency of f; (cf. Condition 4 of Definition 4.16), and step 5 follows 
from the fact that the © operator preserves the limit time. 
P3 First note that S”” is finite. Then 
Uo" A; (U"~! > waf{s})[A; 
Uo"! A; > wl A; 
wre aC f(E™—D) trio Itime(S!)) > wf A; 
pinen De (f(D) tej 2 Itime(U"-1)) > 
a (5"~![A;).tr7 2 Itime(")) 
Urea (FEO) try 9 Itime(ZP7)) > 
(f(D o (FEY) try 2 Itime(S"~!))).trj 2 
Itime(S")) 


pinta la 


= [le [he [le 


Ilo 


(f (22). trj 2 Itime(S-!)) > 

((f:(EP°—Y).trj © Itime(N"!)) 9 Itime(S")) 

wre Da(f(mm™™—D) try o Itime(D”)) 

wr ( £(E™) try a Itime(S")) 

where steps 1 and 8 are trivial, step 2 follows from the fact that a ¢ 
acts(A;), step 3 follows from induction hypothesis P3, step 4 follows from 
the definition of (g, f) (cf. Definition 4.31), step 5 follows from induction 
hypothesis P3, step 6 follows from consistency of f; (cf. Condition 4 of 
Definition 4.16), and step 7 follows from the definition of the operators and 
the fact that N"7' <, ". 


P4 Again note that ”” is finite. Then 

re Teh) 

t-seq(&’ — NO") f (in(A;) x T) 

((a, s.now) * t-seq(&’ — &”)) f (in(A,) x T) 

t-seq(X’ — &”) f (in(A;) x T) 

where step 1 is trivial, step 2 follows from induction hypothesis P4, step 3 
follows from definition of t-seq and the fact that ©” = "~' 7 wa{s}, and 
step 4 follows from the fact that a ¢ acts(A;) and thus a ¢ in(A;). 


P5 Vacuously satisfied. 


[oo |]~a 


Ips [lee [fe [Je 


Case 3.1.2 a € local(A 
Since by induction 


i) 
hypothesis P1N’"~" is finite, 
(w[ Aj, a, s[ A;) fi 


= fi("""[Ay) 

Sf (UPOTY > (fF (LPOY) tj 9 Utime(U"~))) 

2p (EP"Y) © Itime(="-") 

where step | follows from the definition of (g, f) (Definition 4.31) and the fact 
that a € local(A;), step 2 follows from induction hypothesis P3, and step 3 
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follows from consistency of f; (cf. Condition 4 of Definition 4.16). 
Thus, f;(""7?) = (w;,a,8;), where w; © Itime(S"~!) = wf A; and s; = s[ Aj. 
Define: m(n) = m(n—1)+1 
BM) = SOY > (afs;}) 
ren) _ ie 
P1 Both ©" and ©" are finite. 
P2 Since 47” is finite, we must prove that ftime(f;(U7"’).trj) < ltime(U") < 
Itime( fi(U”). trj). 
Since ftime(f,(U2).trj) = ltime(w;) = Itime(w) = Itime(D”), the first 
inequivalence holds. 
The proof of the second inequality is similar to the one in subcase 3.1.1, only 
here the last step should use Itime(f,(U""7).trj) < Mtime( f;(= BI") tj), 
P3 First note that both V7") and N”"™ are finite. 
mPa, 2 (21 wafs)PA, 
ue" Ai 7 oa [Ai ats 


pinta 1) 


[ Ai} 

).trj 2 Itime(S"~")) > (wl A, )a{s]A;} 
sine D), trj 2 Itime("~")) > 

i ooo ) trj © Itime(S"-))a{s[ Aj} 
we) try at s[ Ai} 


= [le [fs [Je 
M 

33 
3 
) 


y(n 1) a 


a 


[Joo []~a [lo [Jo 


wr > (FE) try a Itime(S")) 
where steps 1, 6, and 7 are trivial, step 2 follows from the fact that a € 
acts(A;), step 3 follows from induction hypothesis P3, step 4 follows from 
the properties of w/A; proved at the beginning of this case, step 5 follows 
from definition of @ and c, and finally step 8 follows from the fact that 
ltime(S") = Itime(SI"™) = ftime( f,(X").trj). 

P4 Again, note that both S77) and 3” are finite. 

ren) ie 

t-seq(&’ — NO") f (in(A;) x T) 

((a, snow) * t-seq(X’ — &")) fT (in(A;) x T) 

t-seq(X’ — &”) f (in(A;) x T) 
where step 1 is trivial, step 2 follows from induction hypothesis P4, step 3 
follows from definition of t-seq and the fact that ©” = "~' 7 wa{s}, and 
step 4 follows from a € local( A;) and thus a ¢ in(A;). 

P5 If Teh) = ¢, the result follows from the first case in the definition of 
Roy,,f,) (Definition 4.17). 
Now, assume 27") = (6,t/)Z!. Then a # b since a € local(A;) and 
be in( Ay). Now, since Z"~") = t-seq(S! — S"-!) | (in(A;) x T) and 
(a, s.now) is first on t-seg(X’ — S"~'), conclude that s.now < t/. Thus, 


IPs [eT] (A 
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ltime(w;) = ltime(w) = s.now < t’. Then the result follows from the third 
case in the definition of Ri, 7,). 


Case 3.1.3 a € in(A;) 
Let w; = f;(%; yinin= D), tr}. 
Similar to proof P2 of subcase 3.1.1, it is easy to prove: ftime(w;) < ltime(X”) < 


ltime(w;). 
Then, let w/ = w; 9 Itime(") and s; = g; (nnn Yn wid). 
Furthermore, 
TY) 2 teseg(S! — U"-!) f (in(A;) x T) 
= ((a,s.now) * t-seq(X! — E"71)) f (in(A;) x T) 
3 


(a, s.now) * (t-seq(%’ — &”) } (in( A;) x T)) 

where step 1 follows from induction hypothesis P4, step 2 follows from the 

definition of ©”, and step 3 follows from the fact that a@ € in(A;). Thus, in 

particular Z7""~) is not empty. 

Define: m(n) = m(n—1)+1 

BP) = EPO > (what st}) 
LP = tail(L""~?) 

P1 Both ©” and =”) are finite. 

P2 Similar to the proof of P2 in subcase 3.1.2. 

P3 First note that both V7") and N”"™) are finite. 
First, 
wl A; fi(2"—'[A;). try 2 Itime(”) 

f(EPOOY > (f,(EPOY) trio Itime(N"—!))).trj < Itime(D”") 
(f (=P "?).trj © Itime(S"~!)) 9 Itime(”) 

= (w; © Itime(X"~')) 2 Itime(S”) 

where step | follows from the definition of (g, f) (Definition 4.31), step 2 

follows from induction hypothesis P3, step 3 follows from consistency of f; 

(cf. Condition 4 of Definition 4.16), and step 4 follows from the definition 


i 
2 
3 
4 


of w;. 
Second, 
sfAy = gi((EP-1 > w)fAj, a) 
= gi(SP'[Aj > wy, a) 
3 gi( 3; yin YD (wy; 2 Itime(="~")) 7 
((w; © Itime(Z"~')) 2 Itime(=")), a) 
4g (EM) > (w; 9 Itime(D")), a) 
= g( BPO Y= wl a) 
6 


s 
where steps 2, 5, and 6 are trivial, step 1 follows from the definition of 


(g, f) (Definition 4.31), step 3 follows from induction hypothesis P3, the 
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property of w[A; proved above, and definition of w;, and step 4 follows from 
the definition of the operators. 


Finally, 
eras = [A> (wf Avafs[ Ai} 
2 SIMON» (FD) tj o Itime( 8") > Wwf Andats[ As} 
Sym) (5, 9 Itime(S"!)) > 
((w; © Itime(="~')) 2 Itime(%"))a{ si} 
= hn) wtatsi} 
5 yin) 
& 


wr > (FE) try a Itime(S")) 
where steps | and 5 are trivial, step 2 follows from induction hypothesis P3, 
step 3 follows from the property of w/A; proved above and the definition of 
w;, step 4 follows from the definition of the operators, and finally step 6 fol- 
lows from the fact that ftime(f(0"”).trj) = Itime(X"™) = Itime(w!) = 
ltime(X,n). 

P4 First note that both V7") and N”"™) are finite. 
Tm) tail( ) 

tail((a, s.now) * (t-seq( Xs! — &") f (in(A;) x T))) 

t-seq(X’ — &”) f (in(A;) x T) 
where steps 1 and 3 are trivial and step 2 follows from the property of 
Tr") proved at the beginning of this case. 

P5 This follows directly from the fourth case in the definition of Rig, »,) (Defi- 
nition 4.17). 


[le |] |e 


Case 3.2 Fourth case. 


The definition of Ry, ,) gives us ©" = U"~! wats}, £27! = (a, t)Z", f(a!) try = 
w, Itime(w) > t,o! =w ot, and g(D""! 7 w’,a) = 8’. Distinguish three subcases. 
Case 3.2.1 a ¢ acts(A;) 

Similar to subcase 3.1.1. 


Case 3.2.2 a € local( A;) 
This situation cannot occur since a € in(A) (cf. Definition 4.10). 


Case 3.2.3 a € in(A;) 
Similar to subcase 3.1.3. 


This concludes the inductive definition and induction proof. Since m(0) = 0, m(n) is either 


m(n—1) 
m(n—1)+ 


+ ; or m(n—1), and (S77) and (UM, 7") are defined every time m(n) = 


1, (uP, Z? Jo<n<(lime oo m(k)) 18 defined. Furthermore, by the base case and the proof 


ee) 


of P5 for every n with m(n) = m(n-1)4+1: 


e (x? [?)= (S 1 Ai, T;) and 


B93 
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e for all 0 <n < (limpooo m(k)), (CUP, ZP7"), (DP ZP)) € Ry, po. 


ees 


Using the results of the induction, the lemma can now be proven. Consider cases based on 


(S" )n>0- 


1. One of &” is not finite. 


Then, by definition of Ry, 7), there exists a number n’ > 0 such that y"'-1 is finite, U” 


is admissible, and for all n > n’, 8" =U". 

In the induction above each n > n’ is handled by case 1. Since this case sets m(n) = 
min —1)+ 1, lim,.. m(n) = co. Thus, (?,Z?),>0 is defined and this sequence then 
forms an outcome sequence of (g;, f;) given “{A,; and Z;. Then 


limy—oo(E” [ Ai) 
ym(n) 


a 


limp, +06 


hs te te I] 


limp soo UP 


where step 1 follows from the definition of &’, step 2 follows from the continuity of the 
projection operator, step 3 follows from P3 since for all n > n’, &"[ A; = pinta) and step 
4 follows from the fact that lim,—.. m(n) = oo. 


Thus, ©’| A; € O¢g,,7,(U[ Ai, Zi), as required. 
2. All &” are finite. 


(a) limp—o m(n) # 00 

Since m is nondecreasing, there exist natural numbers n’ and m’ such that for all 
n>n',m(n) =m’. Thus, (Y?, 2? )o<n<m: is defined. In the induction above each 
n > n is handled by either case 3.1.1 or 3.2.1 since all other cases set m(n) = 
m(n —1)+1. Cases 3.1.1 and 3.2.1 correspond to adding an action not in acts(A;) 
to ©". Thus, ©’— 5” contains no actions from acts(A;) which implies that |¥’ [ 
acts(A;)| = |="' } acts(A;)| 4 co since ©’ is finite. Thus, by hypothesis ¥/ is not 
Zeno. Lemma 4.18 then implies that /’ is admissible. 

Now, for all n > n’, Pl and P2 imply that Itime(=”) < Itime(f,(D?"').trj). Since E! 
is admissible, lim,_.. ltime(") = oo which implies that Itime(f;(=).trj) = oo 
Thus, f;(="") = w for some w with Mtime(w) = oo. Furthermore, by P4, Z = 
t-seq(®! — 9") E(in(A\) « T) = 
Define (S"+',Z” 7) = (Sr ~w,Z”'). Then by definition of Ri,,.¢,) (Defini- 
tion 4.17), Er’ rm’) (sett gm 41) € Roy, 7). Furthermore, for all k > m’ +1, 


2 9~S 
define (SF, Z%) = (SI. TP-). 


Again, clearly ((D/7*,Z*~*), (ZF, Z!)) € Ry, f0- 
Thus, (L?,Z?),>0 is an outcome sequence of (g;, f;) given UN] A; and Z;. Now, 


are 
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WTA; = (lim, N")[A; 
2 limy oo (E "[4i) 
2 mol BP > (fi(DP").trj © Itime(D"))) 
4 
= yr ~ 
2 ‘im, (ZP) 


where step 1 follows from the definition of &’, step 2 follows from the continuity of 
the projection operator, step 3 follows from P3, step 4 follows from the definition 
of w and the fact that lim, Itime(X”) = oo, and step 5 follows from the fact that 
yr = D' ow for all n > m’. 
Thus, ©’| A; € O¢g,,7,)(U[ Ai, Zi), as required. 

(b) lim, +. m(n) = oo 


In this situation (U?,Z?),>0 is an outcome sequence of (gj, f;) given “[A; and Z;. 
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Then 
WTA; = (lim, N")[A; 
2 dims .oo(E"[ Aj) 
2 impo (SI) > (f,( EI). trj 2 Itime(D"))) 
+ tim, (EI) 
2 limy—.oo(") 


where step | follows from the definition of %’, step 2 follows from the continuity of 
the projection operator, step 3 follows from P3, step 4 follows from the fact that for 
all n, NI” <, SMM — (f(D) tj -o Mtime(U")) <, UT" (this follows directly 
from the definition of ©”) for all n where m(n) = m(n — 1) +1), and finally step 
5 follows from the fact that lim,.. m(m) = oo. 


Thus, ©’| A; € O¢g,,7,(U[ Ai, Zi), as required. 
This concludes the proof. | 


Lemma 4.34 


Let (Ay, L1),...,(An, Ly) be compatible live timed I/O automata and let, for each 1 <i< N, 
(gi, fi) be an environment-free strategy for (A;, L; U t-exec*'(A;)). Furthermore, let (A, L) = 


(Ai, Li)||---|](Aw, Ly). Then (9, f) = (a1. fidll--- gn. fy) ts an environment-free strategy 
for (A, LU t-exec”'(A)). 


Proof. Definition 4.22 given the following proof obligations. 
1. Ais a safe timed I/O automaton, 
2. LU t-exec*'(A) C t-exec( A), 
3. Os), 2) C LUtexec*'(A), for all © € t-exec*(A) and all timed environment sequences 
fT for A that are compatible with ©, and 
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A. (g, f) is Zeno-tolerant. 
Consider the points one at a time. 


1. Definition 4.25 along with Definition 4.10 directly implies that A is a safe timed I/O 
automaton. 


2. By Definition 4.25, L = {© € t-ewxec(A) | S[A, € [y,...,5[An € Ly}. Thus, 
Lemma 4.11 implies LZ C t-exec(A). Finally, since t-exec**(A) C t-erec(A), the result 
follows. 


3. Let % € t-exec*(A) be an arbitrary finite timed execution of A and Z be an arbitrary 
timed environment sequence for A that is compatible with %. Note, since (g;, fi) is 
an environment-free strategy for (A;, L; U t-exec**(A;)), (gi, f;) is, by Definition 4.22, a 
Zeno-tolerant strategy defined on A;. Let %’ be an arbitrary element of the outcome 
O,7)(4, 2). By Lemma 4.18, ¥ is either Zeno or admissible. 


e Assume »’ is Zeno. 


By Lemma 4.18, %’ contains infinitely many actions (|X’ f acts(A)| = oo). Assume 
y’ is not Zeno-tolerant (’ € t-erec*'(A)). Then |¥’ [ local(A)| = oo. Since each 
locally-controlled action in %’ belongs to the locally-controlled actions of one of the 
component automata of A, and there are only finitely many such components, there 
exists an i such that |’ flocal( A;)| = co which also implies |(%’] A;) flocal( A;)| = oo. 
Lemma 4.33 now implies the existence of a timed sequence Z; over in( A;) compatible 
with S/A; such that 8’) A; € Og,,7,)(4 Ai, Zi). Since b’[ A; is Zeno (by Lemma 4.11) 
and |(X’/[A;) [ local(A;)| = oo, there is a contradiction to the fact that (gq, fi) is 
Zeno-tolerant. 

Thus, S! € t-erec*'(A). That suffices. 


e Assume »’ is admissible. 


By Lemma 4.33, for each 1 <7 < N there exists a timed sequence Z; over in(A;) 
compatible with S{A;, such that %’[A; € Ogg, (2 [Ai,Z:). By Lemma 4.11, 4] A; 
is admissible. Now the fact that (g;, f;) is an environment-free for the pair (A;, L; U 
t-exec*'(A;)) implies that /[A; € L;. This implies, by Definition 4.25, that X’ € L. 
That suffices. 


4. To prove that (g, f) is Zeno-tolerant (cf. Definition 4.21), it suffices to note that the 
previous case says that Oc (0,2) C LU t-exec**( A), where L C t-erec™(A). = 


The main result, closure of the parallel composition operator, can now be proven. 


Proposition 4.35 (Closure of parallel composition) 


Let (Ai, 11),...,(An, Ly) be compatible live timed I/O automata. Then the parallel composi- 
tion (Ay, £1)||...||(An, Ly) is a live timed I/O automaton. 
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Proof. Let (A, Z) = (Ai, £4)||--:||(Aw, Ly). Definition 4.10 implies that A is a safe timed 
I/O automaton. Furthermore, since L; C t-exec®(A;), Lemma 4.11 and Definition 4.25 show 
that L C t-erec™(A). 

For each 1 <i < N, let (g;, f;) be an environment-free strategy for (A;, L; U t-exee*'(A;)). 


By Lemma 4.34 the strategy (9, f) = (gi, Si)Il---|(gx, fx) is an environment-free strategy 
for (A, LU t-erec”'(A)). Therefore, the pair (A, LU t-erec*‘(A)) is environment-free. By 
Definition 4.23 of live timed I/O automata, the result now follows. a 


4.5 Preorder Relations for Live Timed I/O Automata 


For safe timed I/O automata there are several ways of defining a timed trace preorder that 
depend upon which kinds of traces are being considered. A naive choice would be to consider 
all the timed traces of a safe timed I/O automaton; however, one might not be interested in, 
e.g., the Zeno timed traces of a system. For the live preorder, on the other hand, there is a 
unique natural choice. 


Definition 4.36 (Timed trace preorders) 


Given two live timed I/O automata (Aj, £,) and (A», Lz) such that esig( A,) = esig( Az) define 
the following preorders: 


Safe: (Ay, £4) ( ) iff t-traces(A,) C t-traces( A2). 
Safe-finite: (Ay, £4) ( ) iff t-traces*(A,) C t-traces*( Az). 
Safe-admissible: (A,, £1) Cg? (Ag, Le) iff t-traces°(A,) C ttraces™( Az). 

Safe-non-Zeno: (Aj,, £1) C8 ( ) iff (A,, £1) CS, (Ao, Le) and (Ay, £1) C8 (Aa, Le). 
Live: ( ) ( ) iff t-traces(L,) C t “traces( L 2). = 


The safe-non-Zeno preorder is the relation that is used in [VL92]. This preorder is used in 
[VL92] instead of the more natural safe-admissible preorder since finite timed traces are need 
for substitutivity of a sequential composition operator. 

It is interesting to note that the live preorder implies the safe preorder whenever the involved 
safe timed I/O automata have timed finite internal nondeterminism. On the other hand, if 
the involved safe timed I/O automata do not have timed finite internal nondeterminism, then 
the live preorder only implies finite timed trace inclusion. Essentially, timed finite internal 
nondeterminism requires that a timed automaton has a finite internal branching structure. In 
particular, a finite timed trace can lead to at most finitely many states. 


Definition 4.37 (Timed finite internal nondeterminism) 


A timed automaton A has timed finite internal nondeterminism (t-FIN) iff, for each trace 
7 € t-traces*(A), the set {Istate(X) | t-trace(X) = 7} is finite. = 


Proposition 4.38 
Let (A,, £1) and (As, L) be two live timed I/O automata with vsig( A,) = vsig( As). 
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1. If (Aq, L1) ce (Ao, Le) then (Ay, £1) cy (Ao, La). 
2. If A» has t-FIN and (Ay, £1) cy (Ao, Le) then (Ay, £1) Co, (Ao, £2). 


3. If (Aq, L1) Cre (Ao, Le) then (Ay, £1) cy (Ao, £2). 


Proof. 


1. Let 7 bea finite timed trace of A,. By definition of timed trace, there is a timed execution 
yi, of A; such that t-trace(%,) = y. By definition of live timed I/O automaton there 
exists an admissible timed execution “4 of A, such that %; <, ) and t-trace(h{) € 
L, (just apply any environment-free strategy for (Ai, £,) to %; and to an admissible 
timed environment sequence for A compatible with %,). By definition of live timed I/O 
automaton, “4 is a timed execution of A;. Since (Ai, £,) Cg? (Az, Le), there exists a 
timed execution “4 of A» such that t-trace(X) = t-trace(X)). Since the set of timed 
executions of a timed I/O automaton is closed under t-prefix, there is a t-prefix Ny of U4 


such that MN» is a timed execution of Ay and t-trace(Nz) = 7, i.e., y is a timed trace of 


Ao. 
2. This is a standard result that appears in [LV91]. 


3. Let y be a finite timed trace of A,. By definition of timed trace, there is a timed execution 
yi, of A; such that t-trace(%,) = y. By definition of live timed I/O automaton there 
exists a timed execution “i of A; such that ©, <, “{ and t-trace(X}) € L,. Since 
(Ay, £1) Crt (Az, Le), there exists a timed execution “4 of Ly such that ttrace(X{) = 
t-trace(X,). By definition of timed live I/O automaton, “4 is a timed execution of A», 


and, since the set of timed executions of a timed automaton is closed under t-prefix, 
there is a t-prefix M. of “4, such that MN» is a timed execution of Az and t-trace(X2) = 7, 
1.e., y is a timed trace of Ag. | 


The important property of the safe and live preorders is that they are substitutive for the 
operators of Section 4.4. In the case of the parallel composition operator, this means that 
an implementation of a system made up of several parallel components can be obtained by 
implementing each component separately. 


Theorem 4.39 (Substitutivity) 


Let (A;, £;), (Ai, 4), t = 1,...,N be live timed I/O automata, and let Cx be one relation 
among Cg, CZ, Lge, Ce? and Cy,. If, for each i, (A;, L;) Cx (Aj, Li), then 


1. if (Ai, £1),...,(An, Ly) are compatible and (Aj, £4),...,( Ay, Ly) are compatible then 
(Ai, Li)|| ++ [Aw Ly) Ex (At, LA) ICA, £y)- 

2. if AC local(A,) and A C local( A‘) then 
(Ai, Li) \A Cx (Aj, 24) \A 
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3. if p is a mapping applicable to both A, and Aj, then 
p((A1, £1)) Ex p((At, £4) 


Proof. The substitutivity results are a direct consequence of Lemmas 4.11, 4.13, and 4.15, 
and the observation, analogous to the one of the untimed model, that parallel composition, 
hiding and renaming of timed execution sets preserve timed trace equivalence. | 


4.6 Comparison with Other Timed Models 


This section compares our timed model with the work of [AL91b, MMT91, VL92]. 

The formalism that is used in [AL91b] is the Temporal Logic of Actions (TLA) [Lam91] 
extended with a new variable now that models time. A specification S consists of the conjunc- 
tion of three formulas Init AILA L where Init represents the initial configurations of $, IL is a 
safety property, and L is a liveness property. The subformula Init A II corresponds to our safe 
timed I/O automata, while the subformula LE corresponds to our timed liveness conditions. In 
[AL91b] L can also be satisfied by finite or Zeno executions or by executions that do not satisfy 
Imit All. The formula FL is a liveness condition for Int A II based on our definition iff the pair 
(Init A IL, L) is machine-closed based on the definition in [AL91b]. 

There is a special formula NZ in [AL91b] that is used to express non-Zenoness, i.e., that 
time advances forever. Time blocking or Zeno behaviors are undesirable in [AL91b] as well as 
in our model; however, it is possible for the safety part of a specification to describe systems for 
which time cannot advance past a given upper bound whenever a particular state is reached. 
Such a situation is eliminated in [AL91b] by requiring the pair (II, NZ) to be machine-closed. 
In our model, on the other hand, the same situation is eliminated by the fact that system-Zeno 
executions are not allowed in the liveness part of a live timed I/O automaton and that a live 
timed I/O automaton is machine-closed by definition. 

A major difference between our notion of environment-freedom and the notion of recep- 
tiveness of [AL91b] is in the role of time: in our model no one is allowed to have control over 
time; in [AL91b] either the system or its environment must have control over time. We believe 
that it is more reasonable to assume that no one has control over time, and thus consider our 
model easier to understand. 


The model of [MMT91] is an extension to the timed model of the I/O automaton model of 
[LT87]. The locally-controlled actions of an automaton are partitioned into classes, each one of 
which is associated with a lower bound (possibly 0 but not oo) and an upper bound (possibly 00 
but not 0). Actions from one class with lower bound c; and upper bound cy must stay enabled 
for at least c, time units before one of them can be performed, and cannot stay enabled more 
that c. time units without any one of them being performed. 

An automaton M of [MMT91] can be represented in our model as a pair (A, L) where A is 
a safe timed I/O automaton with a transition relation that satisfies all the timing constraints 
of M, and LF is the set of all admissible executions of A. It is easy to check that (A, L) is 
environment-free and that admissible timed trace inclusion in [MMT91] coincides with live 
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trace inclusion in our model. However, there are liveness conditions that can be represented 
in our model but cannot be represented naturally in the model of [MMT91]. 


The work in [VL92] does not deal with general liveness properties, and argues that finite and 
admissible timed traces inclusion is generally sufficient to express a useful notion of implemen- 
tation whenever time is involved. The work in [SLL93], however, has shown that liveness is 
useful even in a timed model. In general, the automata of [VL92] are not receptive, however, in 
order to avoid trivial implementations, [VL92] assumes some form of I/O distinction and some 
form of receptiveness at the lower level of implementation. There is a very close connection 
between the technical definitions of [/O feasibility and strong I/O feasibility of [VL92] and 
our notion of environment-freedom. It is possible to represent each timed I/O automaton A 
of [VL92] with the pair (A, Z) where L is the set of admissible executions of A. The notion 
of I/O feasibility of [VL92], which requires each finite timed execution of A to be extendible 
to an admissible timed execution of A using locally-controlled actions only, is stronger than 
requiring that L is a liveness condition for A and weaker than requiring that (A, L) is a live 
timed I/O automaton. In order to have closure under parallel composition, [VL92] introduces 
a stronger requirement on I/O automata called strong I/O feasibility. Strong I/O feasibil- 
ity adds to I/O feasibility the requirement that the safe part of an I/O automaton A does 
not exhibit any system-Zeno execution. However, environment-freedom, which is weaker than 
strong I/O feasibility since the safe part of a live timed I/O automaton is allowed to exhibit 
system-Zeno behaviors, is sufficient to guarantee closure under parallel composition and hence 
substitutivity. 


5 Embedding the Untimed Model in the Timed Model 


The untimed model, presented in Section 3, is used to specify systems where the amount of 
time that passes between actions is considered unimportant. Many problems in distributed 
computing can be stated and solved using this model. However, it is not possible to state 
anything about, e.g., response times in the untimed model. It is implicitly assumed that the 
final implementation on a physical machine is “fast enough” for practical use. 

An untimed system can be thought of as a timed system that allows arbitrary time-passage. 
This indicates that the timed model is, in some sense, more general than the untimed model, 
and that one could use the timed model in situations where one would usually use the untimed 
model. However, the timed model is more complicated than the untimed model due to the 
time-passage action, the now component, etc. Furthermore, it does not seem natural to be 
required to deal with time, when the problem to be solved does not mention time. 

Thus, one would like to work in the untimed model as much as possible and only switch 
to the timed model when it is needed. Sometimes, however, an algorithm that uses time 
implements a specification that does not use time. For example, [LLS93] shows how an untimed 
specification (of the at-most-once message delivery problem) is implemented by a system that 
assumes upper time bounds on certain process steps and channel delays. Fischer’s mutual 
exclusion algorithm [Fis85, AL91b] is another such example. Figure 1 depicts the stepwise 
development one would use for an implementation proof like the one in [LLS93]. The stepwise 
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Untimed 


Timed 


IMPL 


Figure 1: A stepwise development from an untimed specification to a timed implementation. 


development in Figure 1, however, raises the issue of what it means to implement an untimed 
specification with a timed implementation. Our approach to this issue is to convert the untimed 
systems in the stepwise development to timed systems by applying a patient operator that adds 
arbitrary time-passage steps. The patient operator we use is similar to the one of [NS92, VL92]. 
To complement the patient operator, this section proves the Embedding Theorem which states 
that a concrete level implements an abstract level in the untimed model if and only if the 
patient version of the concrete level implements the patient version of the abstract level in 
the timed model. Thus, the first part of the stepwise development of Figure 1 can be carried 
out entirely in the simpler untimed model, and the last part in the timed model. In the 
intermediate development step which goes from untimed to timed, one must prove that the 
timed level implements the patient version of the untimed level. The embedding theorem can 
then be applied to show that the implementation IMPL implements the patient version of the 
specification SPEC. 


Definition 5.1 (Patient operator on safe I/O automata) 


Let A be a safe (untimed) I/O automaton where v ¢ acts(A). Then define patient(A) to be 
the safe timed I/O automaton with 


e states(patient(A)) = states( A) x T 


If s = (s’,t) is a state of patient(A), we let s.basic denote s’. 
e start(patient(A)) = start(A) x {0} 


® NOW patient(A)((S, t)) =t 
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e out(patient(A)) = out(A) 
e int(patient(A)) = int(A) 
e steps(patient(A)) consists of the steps 


— {((s,t), 4, (8',)) | (s,4, 8) € steps(A)} 
— {((s,t),v,(s,t/)) | ¢ > t} | 


The following trivial lemma states that the basic state of a patient automaton does not change 
during time-passage in a timed execution. 


Lemma 5.2 


Let A be a safe I/O automaton with v € acts(A) and let % = woaiwyagw2--- be a timed 
execution of patient(A). Then, for all i and all s,s’ € rng(w;), s.basic = s'. basic. a 


In order to state what it means to apply the patient operator to a live I/O automaton, the 
following auxiliary definition of what it means to untime a timed execution is needed. Let A 
be a safe I/O automaton with v ¢ acts(A) and let / = woa,widqw,--- be a timed execution of 
patient(A). Then define 


untime(X) = (fstate(wo).basic)a,(fstate(w,).basic)as(fstate(w.). basic) --- 
Similarly, let y¥ = ((a1, t;)(@2,t2)-+--,t) be a timed trace of patient( A). Then define 


untime(y) = ayay-°- 


Lemma 5.3 


Let A be a safe I/O automaton with v ¢ acts(A). Then ® € t-exec(patient(A)) iff untime(X) € 
exec(A). Furthermore, if % is finite, then untime(%) is finite. 


Proof. The proof of this lemma is trivial using Lemma 5.2, Definition 5.1, and the definition 
of untime. | 


The patient operator can now be extended to live I/O automata. For any live I/O automaton 
(A, L), the patient live I/O automaton of (A, L) should be the live timed I/O automaton whose 
safety part is patient(A) and whose liveness part consists of all those admissible executions 
that, when made untimed, are in L. Thus, the liveness condition of the patient live I/O 
automaton allows time to pass arbitrarily, as long as the liveness prescribed by FL is satisfied 
sooner or later. This is formalized in the following definition. 
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Definition 5.4 (Patient operator on live I/O automaton) 


Let (A,L) be a live I/O automaton with v ¢ acts(A). Then, define patient,(L) = {X € 
t-exec™ (patient(A)) | untime(X) € L}, and define patient(A, L), the patient live I/O automa- 
ton of (A, L), to be the pair (patient( A), patient ,(L)). = 


One must prove that for any live I/O automaton (A, 1), patient(A, 1) is a live timed I/O 
automaton. This means showing the existence of an environment-free strategy for the pair 
(patient( A), patient ,(L) U t-erec”'(patient(A))). This is accomplished by defining the patient 
strategy of an (untimed) strategy (g, f) defined on A, and showing that the patient strategy of 
(g, f) is environment-free for (A,, L, U t-erec”'(A,)), where (A,, L,) = patient(A, L), if (g, f) 
is environment-free for (A, L). To ensure that the patient strategy of (g, f) is Zeno-tolerant, 
which is required for environment-freedom, the patient strategy of (g, f) insists on letting time 
pass some fixed positive amount of time 6 before making a local step. 
To formalize this idea, the following definition is needed. 


Definition 5.5 


For any safe timed I/O automaton A and any finite timed execution » of A, define lloctime(S) 
to be the time of occurrence of the last locally-controlled action in “, or 0 if no such action 
exists. Formally, let © = woajw1 +++ GpWn. If ai,...,dn € local( A), then define lloctime() = 0; 
otherwise, define lloctime(%) = ftime(w;,) where a; € local(A) and dy41,...,4, ¢ local(A). @ 


Definition 5.6 (Patient strategy) 


Let A be a safe I/O automaton with v ¢ acts(A) and (g, f) be an (untimed) strategy defined 
on A. Furthermore, let A, = patient(A). Then define the patient strategy of (g, f) with respect 
to some positive real number 6, written patient;(g, f), to be the pair of functions 


Gp 2 t-exec*(A,) x in(A,) — states(A,) 

f, 1 texec*(A,) — (traj(A,) x local(.A,) x states(A,)) U traj(A,) 
defined in the following way 

gp(%,a) = (g(untime(), a), ltime(S)) 


(w,a,s) if f(untime(%)) = (a, s.basic), s.now = Itime(w) and 
dom(w) = [ltime(X), max(ltime(%), lloctime(%) + 6)] 
f(s) 4 rng(w) = {(Istate(X). basic, t) | t € dom(w)} 
p w if f(untime(X)) = L and 
dom(w) = [ltime(S), 00] 
rng(w) = {(Istate(X). basic, t) | t € dom(w)} 
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For finite timed executions © of A,, Lemma 5.3 implies that untime(%) is a finite execution of 
A. Also, by Definition 5.1, A and A, have the same input, output, and internal actions. Thus, 
in the definition of (g,, f,), the domains and ranges of g and f are compatible with the usage 
of g and f. 

The following lemma states that the patient strategy is indeed a strategy. 


Lemma 5.7 


Let A be a safe I/O automaton with v ¢ acts(A), (g, f) an (untimed) strategy defined on A, 
and 6 any positive real number. Then patient,(g, f) is a (timed) strategy defined on patient(A). 


Proof. Let (9,, f,) = patient;(g, f) and A, = patient(A). To verify that (g,, f,) is a (timed) 
strategy defined on A, check the four conditions of Definition 4.16. 


1. For the first condition, which deals with g,, let, for arbitrary % € t-exec*(A,) and 
a € in(A,), gp(4,a) = s = (s’,t). By the definition of g, and the fact that (g, f) 
is a strategy defined on A (cf. Definition 3.11), (Istate(untime(%)),a,s‘) € steps(A) 
which, by definition of untime, Lemma 5.2, and the fact that % is finite is the same as 
(istate(X1). basic, a, s’) € steps( A). Finally, Definition 5.1 and the fact that ¢ = Itime(%) 
gives (Istate(),a,s) € steps(A,), which suffices. 


2. For the second condition let f,(%) = (w,a,s). Similar to the first condition, it is easy 
to see that (Istate(w),a,s) is a step of A,. Then by the definition of w and the fact 
that A, allows time to pass arbitrarily, wa{s} is a timed execution fragment of A, and 
fstate(w) = Istate(X). Thus, & ~ wa{s} € t-exec*(A,) as required. 


3. The argument parallels that for Condition 2. 
4, Finally, the fourth condition, dealing with consistence of f,, is considered. 


(a) Assume f,(%) = (w,a,s) and let t be a time such that flime(w) < t < Itime(w). 
By definition of f, we have f(untime(X)) = (a,s.basic), s.now = Itime(w), and 
dom(w) = [Itime(S), max (Itime(%), lloctime(X) + 6)] and 
rng(w) = {(Istate(%“). basic, t’) | tf € dom(w)}. 

By definition of untime, we have untime(% ~ (w 9 t)) = untime(%), which implies 
f(untime(% 7 (w 2 t))) = f(untime(%)). 

Thus, f,(& 7 (w ot)) = (w’,a,s') with f(untime(X 7* (w 9 t))) = (a,8'.basic) = 
(a, s.basic), s’.now = Itime(w’), and dom(w’) = [Itime(~ (w 9 t)), max(Itime(X 
(wot)), lloctime(S~(w ot))+6)] and rng(w’) = {(Istate(i~ (w ot)). basic, t’) | t € 
dom(w')}. 

Now, by Lemma 5.2 Istate(Xi ~ (w 9 t)).basic = Istate(S).basic, and furthermore 
we have, by the definitions of and lloctime, that Itime(X~ (w 9 t)) = ¢ and 
lloctime(X~ (w 2 t)) = lloctime(S) 
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Assume Itime(X) > lloctime(X)+6. Then ftime(w) = ltime(w) = t = ltime(X), and 
maz (Itime(S7 (w ot)), loctime(u~ (wo t)) +6) = max (Itime(S), lloctime(S) + 6). 
Then assume Itime(%) < lMoctime(X)+6. Then t < Itime(w) = lloctime(“)+6, and 
again we have max (ltime(U~(wat)), lloctime( U7 (wot))+é6) = max(t, loctime(S)+ 
6) = lloctime(S) + 6 = max (Itime(%), lloctime(S) + 6). 

Thus, we have dom(w’) = [Itime(i7 (w 9 t)), max(Itime(X~ (w 2 t)), Moctime( > 
(wo t)) + 6)] = [t, max(Itime(S), lloctime(S) + 6)] = dom(wc t) and rng(w’) = 
{(istate(X ~ (w 2 t)). basic, t’) | ¢ € dom(w)} = {(state(X). basic, t’) | tf € dom(w ce 
t)} = rng(w et). Therefore, w = wet and s’.now = Itime(w’) = Itime(w) such 
that s' = s. 

Hence, finally conclude that f,(2 7 (w ot)) = ((we t),a,s), as required. 


(b) Assume f,(%) = w. This case is handled similarly to the previous case. 


Thus, (gp, fp) is a strategy defined on A,. a 


The proof that for any environment-free (untimed) strategy (g, f) for a live I/O automaton 
(A, L), and any positive 6, the patient strategy patient,(g, f) is an environment-free (timed) 
strategy for (A,, L,Ut-erec”'(A,)), where (A,, Lp) = patient(A, L), uses two technical lemmas. 
The first of these lemmas states that if X’ is an admissible timed execution of an outcome of 
patient ;(g, f), then untime(&’) is an outcome of (g, f). This expresses the intuitive idea that 
the only significant difference between (g, f) and patient(g, f) is due to time-passage. The 
second lemma states that the difference in the time of occurrence of any two locally-controlled 
actions in a timed execution of an outcome of patient,(g, f), is at least 6. This is, of course, 
due to the fact that patient,(g, f) insists on letting time pass for at least 6 time units between 
local steps. 


Lemma 5.8 


Let A be a safe I/O automaton with v € acts(A) and let (g, f) be an (untimed) strategy defined 
on A. Let A, = patient(A) and (gp, fp) = patient;(g, f) for some arbitrary positive real number 
6. Then, for all % € t-exec*(A,), all timed environment sequences T, for A, compatible with 


b, and all admissible X’ € Og, ,;,)(3,£p), there exists an environment sequence I for A such 
that untime(X’) = Og py)(untime(d), Z). 


Proof. First note that by Lemma 5.7, (g,, fp) is a strategy defined on Ay. 

Let © € t-exec*(A,) be an arbitrary finite timed execution of A, Z, an arbitrary timed 
environment sequence for A, compatible with %, and &’ be an arbitrary admissible timed 
execution of the outcome Oy, ;,)(%,Z,). Let Rig, 5,) be the next-relation induced by (gp, fp) 
and Ry, r) the next-function induced by (g, f). Also, let (©",Z?)n>0 be an outcome sequence 
of (gp, fp) given © and Z, such that X’ = lim, U”. 

Let No — No be the signature of a total, nondecreasing mapping m. Define m(n) induc- 
tively on n. Furthermore, define Z~° (a finite sequence over in(A)U {A}) and for each n > 0 
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and each m(n— 1) < k < m(n) define Z-* such that Z-“*-) < Z-*. After the definition show 
that this leads to a chain (Z~”),>0, ordered by prefix, and let Z = lim, Z~”. 


Base case n = 0: 


Define: m(0) = 0 
[T° =e 


Inductive step n > 0: 


(&",Z”) is related to (&"~',Z"~") according to exactly one of the five cases in the definition 
of Ryy,s,) (cf. Definition 4.17). Consider these five cases: 


1. Define: m(n) = m(n — 1) +1 
Tomin) = F-(m(n)=1)y 


2. Define: m(n) = m(n — 1) 


3. Define: m(n) = m(n—-1)4+1 
Tomin) — T-(m(n)=1)y 


4, Here let (a,t) = head(Z?*). 
(a) Assume f,(5"7!) = w 
Define: m(n) = m(n— 1)4+2 


T-(m(n)-1) — T-(m(n)-2) 
T-m(n) — T-(min)-)q 


(b) Assume f,(5"7') = (w, 6, s) 


Define: m(n) = m(n—1)+1 
Tomin) — T-(m(n)=1)g 


5. Define: m(n) = m(n-1)4+1 
Tomin) = F-(m(n)=1)y 


This concludes the inductive definition. Only case 2 above does not increment m. However, 
this case occurs at most once, namely if 4”~! is finite and 4” is not. Thus, lim, m(n) = oo. 
This also implies that (Z~"),>00 is a chain ordered by prefix. Now, define Z = lim, 27” 
and, for all n, let 7° = Z—Z-". (Thus, Z-" ° 7" =7T.) 

We now argue that Z is an environment sequence for A. With an argument similar to the 
one that shows lim,_.. m(n) = oo, it is easy to see that Z is infinite. Now, assume that Z 
does not contain infinitely many occurrences of A. This implies that there exists a number n’ 
such that for all n > n’, the inductive step is handled by case 4b above. Let, for all & > n’, 
f(a") = (w*,a*, 8"). Then by definition of f,, ltime(w*) = max(Itime(=*), lloctime(&*) + 6) 
which, since case 4b adds input actions, equals max(ltime(D*), lloctime(S”) + 6). 


69 


e Assume Iloctime(S"')+6 > Itime(S”’). Then ltime("'t+") < ltime(w"') = loctime(S”")+ 
6. By induction it is easy to see that for all k > n’, ltime(S*) < Moctime(S”’), which 
implies that ltime(S’) < loctime(=”'). But this contradicts the fact that / is admissible. 


e Assume Iloctime(S"') + 6 < Itime(S”). Then Itime(=”'+!) < Itime(w”’) = Itime(=”"’), 
and, by definition of Ri,,,;,), ftime(=" ++) > Itime(N”’). Thus, ltime(E"+1) = Itime(D”’). 
Again, by induction, Itime(S’) < Itime(”’), and since 5” is finite, this contradicts the 
fact that %’ is admissible. 


Thus, both cases lead to a contradiction, which allows the conclusion that Z contains infinitely 
many occurrences of A. Finally, Z consists of actions from in(A,)U {A}. Since, by Defini- 
tion 5.1, in( A) = in(A,), Z is an infinite sequence over in( A) U {A} containing infinitely many 
occurrences of A. Thus, Z is an environment sequence for A. 

Similar to the way (Z~")n>o0 is defined, now define a chain (a@”),>9 of executions of A, 
ordered by prefix. Thus, define a° and, for each n > 0 and each m(n — 1) < k < m(n), ak 
such that a*-! < a*. In the same induction prove, for each n: 


P1 untime(=") = a™), 

P2 If n > 0 and for each m(n — 1) <k < m(n), Rysy(a*!, 2) = (a*, ZT"). 
Base case n = 0: 

Define: a° = untime() 

P1 untime(=°) = untime(©) = a® = a, 

P2 Vacuously satisfied. 


Inductive step n > 0: 
Assume P1 as induction hypothesis. Again consider the five cases in the definition of Ry,, ;,). 
Case 1 Here ()", 77) = (U"-*Cwats}, 7?) with f,(2"—') = (w,a,s). Then, by definition of 


(gp. fp), f(untime(X"~')) = (a, s.basic). Furthermore, by the induction hypothesis and 
the definition of m(n), untime(H"-!) = amM™—D = gmt, 


Define: a” = a™-1a(s. basic) 

P1 untime(=”) = untime(S"-! > wa{s}) = untime(S"-!) > untime(wa{s}) = amr-D > 
(fstate(w).basic)a(s.basic) = a™”™)-la(s.basic) = a™™, 

P2 This condition must be shown for k = m(n). 
Definition of Z-™™ above implies Z™™V-! = TJ —T-MM-Y = NYT —T-™™) = 
AT), 
By case 1 of the definition of Ri, ¢) (cf. Definition 3.12) the result now follows. 
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Case 2 Here ©” = U""!~w where w = f,(U"~'). Also m(n) = m(n — 1) in this case. 


P1 untime(=”) = untime(S"-!7 w) = untime(NP71) = a™"—Y = a, 


P2 Vacuously satisfied. 


Case 3 This case is handled similarly to case 1. 


Case 4 Here, let (a,t) = head(Z"~'). Then, (&", 2?) = (U7! > w'at{s'}, tail(Z?~")), where 
w! = (f,(2"7").tr7) o t and s’ = g,(U"-! 7 w’,a). Then, the induction hypothesis 
and the definition of (gp, fp), imply g(untime(S"~! * w’),a) = g(untime(N"~!), a) = 
gam") a) = 8! basic. 


Case 4.1 Assume f,(5"~') =w 


Then the induction hypothesis and the definitions of (g,, f,) and m(n), imply 
f(untime(E"-")) = flam@-Y) = f(a™™-?) = 1. 


Define: a’™)-! = qi)? 
am) = a -1a(s! basic) 


Pl untime(=") = untime(O"7! > w’a{s'}) = untime(U"~")a(s'. basic) = 
am™”™—Da(s! basic) = a ™-2a( 8! basic) = a™™-1a(s!. basic) = a ™, 

P2 This condition must be shown for k = m(n)— 1 and k = m(n). 
As for the previous cases, it is easy to see that Z™”)-? = \T™™-!, Then the 
result for k = m(n) — 1 directly follows from case 2 of the definition of Ry, ;). 
Similarly, Z™”)-! = aZ™™, Furthermore, g(a’™"-)),a) = s’.basie which im- 
plies g(a™™)-? a) = g(a™™-1,a) = s'.basic. Now the result for k = m(n) 
follows from case 3 of the definition of Ry, 5). 


Case 4.2 Assume f,(5"~') = (w,b, s) 
Define: a”) = a™”)-1a(s!. basic) 
Pl untime(=") = untime(X"~! > w’a{s'}) = untime(S"')a(s'. basic) = 
a™™—Da(s' basic) = a™™-1a(s' basic) = a™™), 
P2 This condition must be shown for k = m(n). 
Since Z™™)-1 = aZ™™ and gla™"-), a) = g(a™™ 1, a) = s' basic, the result 


follows from case 3 of the definition of Riog,f)- 


Case 5 In this case (",Z") = ("71,227"). 


Define: a™™ = a™(™-1 


P1 The induction hypothesis and the definition of m(n) imply that untime(X") = 
untime(O"-!) = aM") = gmat = qn), 
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P2 This condition must be shown for k = m(n). 
By definition of (©”),>0, there exists an n’ <n such that »”" is finite, fyo(=”) =u, 
for some w, and NS" t+! = yr"t2 =... 2 yr a yr ayn, 
Then Definition 5.6 of (g,, f,) implies that f(untime(="')) = L and then, since 
untime(S"") = untime(S"-1), f(untime(S"-!)) = L. Thus, by the induction hy- 
pothesis and definition of m(n), f(a™’-Y) = f(am™™-!) = 1, 
By definition of Z-7™™, T™M-! = TJ —T-M(™M-Y = NT — TMM) = TP), 
Now, since a™™ = q™™-1) fram(-t) = 1, and T™™-! = AT™™), the result 
follows from case 2 in the definition of Ri, ,) (cf. Definition 3.12). 


This concludes the inductive definition and proof. By P2 and the fact that lim, ... m(n) = ~, 
(a”,Z")n>co is the outcome sequence of (g, f) given untime(X) and Z. Now, 


untime(X’) untime(limp—co &”) 

limyoo(untime(”)) 

lim, oo a” 

lim, —. a” 

Ovg,7)(untime(X), Z) 

where step 1 follows from the definition of %’, step 2 follows from continuity of untime (easy 
to verify), step 3 follows from P1 in the induction proof, step 4 follows from the fact that 
lim, m(n) = o0, and finally step 5 follows from the fact that (@”,Z”)n>00 is the outcome 
sequence of (g, f) given untime(X) and Z. This concludes the proof. a 
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Lemma 5.9 


Let A be a safe I/O automaton with v ¢ acts(A) and let (g, f) be an (untimed) strategy 
defined on A. Let A, = patient(A) and (gy, f,) = patient;(g, f) for some arbitrary positive 
real number 6, Let % € t-exec*(A,) be an arbitrary finite timed execution of A,, I an arbitrary 
timed environment sequence for A, compatible with S, and X' an arbitrary timed execution of 
the outcome Og, ¢,)(%,£). Then for any two elements (a,,t,) and (ay, tz) in t-seq(X! — &%) fT 
(local(A,) x T), |t2 — | > 6. 


Proof. Let (a1,t,) and (a2,t.) be two arbitrary pairs in y = t-seq(X’ — \) [ (local(A,) x T) 
and assume, without loss of generality, that (a,,t,) occurs before (a2, t)) in y. This implies 
that t2 > t,. Furthermore, assume, again without loss of generality, that (a,,¢,) and (a2, ts) 
are consecutive in y. Let (©",Z"),>0 be an outcome sequence of (g,, f,) given & and Z such 
that &’ = lim,.., ©”. 

Definition 4.17 now implies the existence of a number n such that (a2, ¢.) is not in t-seq( 4" — 
X) | (local(A,) x T) and S"tt = EU" was{s} with f,(2") = (w, ao, 5) and Itime(w) = ty. Also, 
(a,,t,) must be in t-seg(h” — \) [ (local(.A,) x T) since otherwise it could not occur before 
(d2,t2) in y. Let t; = lloctime(&:"). Since a, € local(A,), ty < ty. 

By definition of f, (Definition 5.6), ltime(w) = max(Itime(d”), lloctime(&”) + 6). Thus, 
ty = ltime(w) > t) + 6 > t, + 6, or equivalently, t2 — t; > 6. That suffices. | 
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It is now possible to prove that for any environment-free strategy (g, f) for a live I/O automaton 
(A, LE) and any positive 6, patient,(g, f) is an environment-free (timed) strategy for (A,, L, U 
t-erec”'(A,)), where (A,, Lp) = patient(A, L). 


Lemma 5.10 


Let (A, L) be a live I/O automaton with v ¢ acts(A) and let (g, f) be an (untimed) environment- 
free strategy for (A, L). Furthermore, let (A,,L)) = patient(A,L). Then, for any positive real 
number 6, patient;(g, f) is a (timed) environment-free strategy for (Ap, Ly U t-erec*'(A,)). 


Proof. Let 6 be an arbitrary positive real number and let (g,, f,) = patient;(g, f). Note that 
by Lemma 5.7 (g,, f,) is a (timed) strategy defined on A,. By Definition 4.22 one must show 
that 


1. A, is a safe timed I/O automaton, 
2. L, U texec*'(A,) C t-exec(A,), 


3. Ogy,fp)2sZp) © Lp U t-erec*"(A,), for all © € t-exec*(A,) and all timed environment 
sequences Z, for A, compatible with %, and 


4. (gp, fp) is Zeno-tolerant. 
Consider the points one at a time. 
1. Definition 5.1 directly implies that A, is a safe timed I/O automaton. 


2. By Definition 5.4, L, C t-exec®(A,) and since also t-erec?‘(A,) C t-erec(A,), the result 
follows. 


3. Let % € t-exec*(A,) be an arbitrary finite timed execution of A, and Z, be an arbitrary 
timed environment sequence for A, compatible with ©. Let &’ € Oy, ¢,)(%,Z,) be an 
arbitrary element of the outcome. By Lemma 4.18, ™ is either Zeno or admissible. 


e Assume »’ is Zeno. 


Then, by Lemma 5.9 there are only finitely many locally-controlled actions of A, in 
u’. Now, Lemma 4.18 implies that /’ contains infinitely many input actions. Thus, 
¥ € t-erec”'(A,). That suffices. 


e Assume ™ is admissible. 


By Lemma 5.8 there exists an environment sequence Z for A such that untime(&’) = 
Org, )(untime(X),Z). The fact that (g, f) is an environment-free strategy for (A, L) 
implies untime(X’) € L. This implies, by Definition 5.4, that %’ € L,. That suffices. 


4. To prove that (g,, f,) is Zeno-tolerant (cf. Definition 4.21), it suffices to note that the 
previous case implies the following. For arbitrary © € t-exec*(A,) and arbitrary timed 
environment sequences Z, for A, compatible with U, Ocy, ¢,(2.Z») C Lp U terec*"(A,), 
where L, C t-exec®(A,) by Definition 5.4. = 
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Finally, we can prove that for any live I/O automaton (A, L), patient(A, L) is a live timed I/O 
automaton. 


Proposition 5.11 
Let (A, L) be a live I/O automaton. Then patient(A, L) is a live timed [/O automaton. 


Proof. Let (A,,L,) = patient(A, LZ). Definition 5.1 implies that A, is a safe timed I/O 
automaton. Furthermore, L C t-erec™(A,) by Definition 5.4. Finally, Lemma 5.10 implies 
that the pair (A,, L, U t-exec*'(A,)) is environment-free. By Definition 4.23, this suffices. m™ 


Now attention is turned to proving the Embedding Theorem, which states that the safe and 
live preorders of live I/O automata are preserved by the patient operator. A few preliminary 
lemmas are needed. 


Lemma 5.12 


Let A be a safe I/O automaton with v ¢ acts(A) and let A, = patient(A). Furthermore, let 
bu € t-exec(A,). Then, 


untime(t-trace 4 ,(%:)) = trace 4(untime()) 


Proof. Let S = woaywydowo++-. 


Then, t-trace 4,(%) = ((a1, flime(w, )) (a2, flime(w.)) +++ f(vis( Ap) x T), lééme(%)) and it follows 
that untime(t-trace 4,(%2)) = a,a2--- f vis( A). 


Now, untime(%) = (fstate(wo).basic)a,(fstate(w, ).basic)as(fstate(w.).basic)--- and it follows 
that trace 4(untime(%)) = a,ay--- f ext(A). 


By Definition 5.1, vis(A,) = ext(A), so the result follows. = 
Lemma 5.13 
Let (A, L) be a live I/O automaton with v € acts(A). Then, 

1. If y © t-traces(patient(A)) then untime(y) € traces(A). 


2. If 8 € traces(A) and 7 € tsp(ext(A)) with 8 = untime(y) such that if seq(y) is Zeno, 
then Itime(y) is the limit of the times in seq(7), then 7 © t-traces(patient(A)). 


3. If y € t-traces( patient ,(L)) then untime(y) € traces(L). 


4. If 8 € traces(L) and y € tsp(ext(A)) is admissible with 6 = untime(7), then 7 € 
t-traces( patient ,(L)). 


Proof. Let (A,,L,) = patient(A, L). Consider the four parts separately. 
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1. Let 7 € t-traces(A,) and © € t-exec(A,) such that t-trace(X) = y. Then untime(y) = 
untime(t-trace(%)) which, by Lemma 5.12, equals trace(untime(“)). By Lemma 5.3, 
untime(%) € exec( A). That suffices. 


2. Let @ = ata?a®--- € traces(A) and y € tsp(eat(A)) such that 6 = untime(y). Thus, 
y = ((a',t')(a’, t?)(a®, t?) +--+, t)) for nondecreasing times ¢', ¢°, #?,...and time ¢; (possibly 
oo) greater than or equal to ¢' for all ¢ in y. Also, let a = s9a18,@282+-+ € exec( A) such 
that 6 = trace(a) and a is finite if @ (and thus seq(y)) is finite. 


By definition of trace, each external action a; in a corresponds to an action a’ (= a;) in 
6 and thus a pair (a’,t) in seq(7). Define # to be the time of occurrence ¢; of a;. For 
internal actions a; in a, define the time of occurrence ¢; to be the time of occurrence of 
the previous external action in a or 0 if no such action exists. Define, if a is finite with 
a, being its last action, tp41 = t; (possibly oo). 


Now, define % = woajwidqw2--- where dom(wo) = [0,t:], rng(wo) = {(50,t) | t € 
dom(wo)}, dom(w1) = [t1, te], rng(w1) = {(s1,t) | t € dom(w,)}, and dom(w.) = [te, ts], 
rng(ws) = {(S2,t) | t € dom(w.)}. Then clearly, by Definition 5.1, & € t-exec(A,), and 
furthermore t-trace(X) = (seq(7), time(X)). (Note, that vis(A,) = ext(A).) 


If a is finite, then, depending on t;, is admissible or finite, but in both cases Itime() = 
th. 


If a is infinite, then seq(y) is infinite and 

(1) if seg(y) is Zeno, then Itime(X) equals the limit of the times in seq(y), which equals 
t, by assumption, and 

(2) if seg(7) is admissible, then “ is admissible. 


Thus, in all cases Itime(S) = t;. Finally, conclude that t-trace(“) = y which implies that 
7 € t-traces(A,) as required. 


3. Let y € ttraces(L,) and % € L, such that t-trace(S) = y. Then untime(y) = 
untime(t-trace(%)) which, by Lemma 5.12, equals trace(untime(%)). Definition 5.4 and 
the fact that & € L, imply that untime(X) € L. That suffices. 


4. This proof is similar to the proof of Part 2 except that a@ is chosen from L and thus 
might be infinite even though £ is finite. If this is the case the times of occurrence of the 
internal actions in the diverging suffix of a are chosen to increase by some fixed amount, 
say, 1. Then & is admissible, and clearly a = untime(X), so by Definition 5.4, © € Ly. 
Thus, y € t-traces(L,). = 


Theorem 5.14 (Embedding Theorem) 
Let (A, L) and (B, M) be live I/O automata with v ¢ (acts( A) U acts(B)). Then 


1. (A, L) Cs (B,M) iff patient(A, L) Cs, patient(B, M). 


2. (A, £) Cy (B, M) iff patient( A, L) Cy, patient(B, M). 
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Proof. Let (A,,L,) = patient(A,L) and (B,,M,) = patient(B,M). The two parts of the 
lemma are considered separately. 


1. =>: Let y € t-traces(A,). By Lemma 5.13 Part 1, 6 = untime(7) € traces(A), which 
implies, since (A, L) Cs (B,M), that @ € traces(B). Now, the fact that y is a timed 
sequence pair over vis( A,) = vis(.B,) = ext(B) and the fact that 7 satisfies the property 
seq(7) being Zeno implies ltime(y) is the limit of the times in seq(y), Lemma 5.13 Part 2 
implies that 7 € t-traces(B,), as required. 


<=: Let @ € traces(A) and let y be any, say, admissible timed sequence pair over 
ext(A) such that untime(y) = @. (Such a timed sequence pair clearly exists.) Then, 
by Lemma 5.13 Part 2, y € t-traces(A,). Thus, the assumption that patient(A, L) Cg; 
patient(.B, M) implies 7 € t-traces(B,). Lemma 5.13 Part 1 shows that G = untime(y) € 
traces( B), as required. 


2. Similar to Part 1 by using Lemma 5.13 Parts 3 and 4. | 


Finally we prove a result which is important when doing specification and verification in a 
modular fashion. Namely, the patient operator commutes with the three operators on safe and 
live (timed) I/O automata. First, let =s, and =;; denote the kernels of the preorders Cg, and 
Crt, respectively.” 


Proposition 5.15 
Let (A, L) and (Ai, L1),...,(An, Ly) be live I/O automata and let =x be one of =s, and =x. 


1. Let (Ay, 11),...,(An, Ly) be compatible. Then, 

patient((A1, £1)||---||(An, Ly )) =x patient(A,, L,)||---||patient(An, Ly) 
2. Let A C local( A). Then, 

patient((A, L)\ A) =x patient(A,L)\ A 


3. Let p be an action mapping applicable to A and let p, be p extended with the mapping 
[vr v]. Then, 


patient(p(A, L)) =x p,(patient(A, L)) 
Proof. We show the proofs for =s,. The proofs for =; are similar. 


1. First note that since (A,,/1),...,(An, Ly) are compatible, then also patient( A, L,), 
..., patient(Ay, Ly) are compatible. 


?The kernel of a preorder C is defined to be the equivalence = defined by r= y = cLlyAyLe. 
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Observe the simple fact that for each timed execution %, untime(X)[A; = untime(XIA;). 


Then, 


iff 
iff 
iff 
iff 
iff 


X € t-exec(patient(A,||---||An)) 

untime(%) € exec( Aj|| ---|| An) Lemma 5.3 
Vicicn 1 untime(S)[A; € exec( A;) Lemma 3.5 
Visicw : untime(S[A;) € exec(A;) observation above 
Visicw 1 NIA; € t-exec(patient(A;)) Lemma 5.3 

b € t-exec(patient(A,)||---||patient(Ay)) Lemma 4.11 


That suffices. 


2. Note that since A C local( A), also A C local(patient(A)). Then, 


iff 
iff 
iff 
iff 


b € t-exec(patient(A \ A)) 

untime(X) € evec(A\ A) Lemma 5.3 
untime(%) € exec( A) Lemma 3.7 
b € t-exec(patient(A)) Lemma 5.3 
b € t-exec(patient(A)\ A) Lemma 4.13 


That suffices. 


3. First note that since p is applicable to A, p, is applicable to patient( A). Also note that, 
since each renaming function p is injective, there is an inverse function p~' : p(dom(p)) > 
dom(p) such that p~'(b) is the unique a satisfying p(a) = b. 


Observe the simple fact that for any timed execution © and any rename function 9’, 
p'(untime(%)) = untime(p!,(%)), where p/, is obtained from p’ by adding the mapping 
[vt v]. Then, 


iff 
iff 
iff 
iff 
iff 


That suffices. 


bu € t-exec(patient(p(A)) 

untime(%) € exec(p(A)) Lemma 5.3 
p—'(untime(S)) € exec(A) Lemma 3.9 
untime(p7'(X)) € evec(A) observation above 
p,'(2) € t-erec(patient(A)) Lemma 5.3 

Xu € t-exec(p(patient(A))) Lemma 4.15 


6 Proof Techniques 


This section presents a number of techniques to prove the safe preorder and the live preorder 
on live (timed) I/O automata. The techniques are based on results in [LV93a]([LV93b]), which 
show that several simulation relations between (timed) automata are sound with respect to 
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the safe preorder. This section also shows that a stronger result, called the Kxecution Corre- 
spondence Theorem, can be proven for the simulations of [LV93a]({LV93b]). Specifically, that 
there is a certain correspondence between the executions of the involved automata and not 
only between their traces. In the untimed model, liveness conditions of live I/O automata are 
stated in terms of executions and not in terms of traces, thus the Fxecution Correspondence 
Theorem can form the basis for proofs of the live preorder. In the timed model, where liveness 
conditions are given in terms of timed executions, the timed version of Execution Correspon- 
dence Theorem along with a sampling characterization of the live timed executions is used as 
the basis for proofs of the live preorder. 

The proof that a live (timed) I/O automaton A implements (based on the live preorder) 
another live (timed) I/O automaton B consists of two main steps. First a simulation relation 
between the safe (timed) I/O automata parts is proven. Because of the soundness of the 
simulation relations with respect to the safe preorder(s), the simulation relation already implies 
that the safe preorder(s) holds. The second step, which is described in detail in this section, 
uses the simulation relation found in the first step and the Execution Correspondence Theorem 
to prove the live preorder. 

Ideas similar to those of the Execution Correspondence Theorem appear in the soundness 
proofs of the simulations for the safe preorder given in [LT87, LV93a]. The contribution of this 
section is to formally state and prove the Execution Correspondence Theorem for a large class 
of simulations and to show how it can be used as the basis for proving the live preorder. 

Several pragmatic considerations support the approach to verification taken in this section. 
For example, when proving the safe and live preorders in the untimed setting, it is often difficult 
to reason directly about the traces of the involved live I/O automata. In particular, the traces 
of an automaton are defined implicitly as the traces of the executions of the automaton, and 
the liveness condition of a live automaton is usually defined implicitly to be a set of executions 
of the automaton that satisfy certain properties, typically specified in some temporal logic. 
Thus, the sets of traces and live traces are not directly available. Rather, they are derived 
from automata, temporal logic formulas, etc. As a result, simulation based proof techniques 
which use the information available directly, e.g., automata, and which are sound with respect 
to the safe and live preorders, are attractive. 

Furthermore, using our proof methodology, the main complexity of a correctness proof for 
the safe and live preorders is found in the simulation proof. Fortunately, simulation proofs have 
a nice case structure that scales well to large examples and provides good intuitive insight into 
the automata for which the simulation relation is being proven. Another practical advantage of 
our proof methodology for the live preorder is that it proves the safe preorder as a side result. 
The work in [SLL93, LLS93] shows why this can be useful. In [SLL93, LLS93] the five-packet- 
handshake protocol of [Bel76] is shown to guarantee a safety property of “at-most-once message 
delivery”, as well as liveness properties such as “in the absence of crashes, each message will 
eventually be delivered”. However, the liveness of the system depends on liveness assumptions 
on the channels connecting the sender and the receiver: “if a packet is sent infinitely often 
then it will be received infinitely often”. This liveness assumption must hold even though the 
channels are allowed to lose packets. However, if the channel is cut, then correctness as defined 
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a 
Specification Level #——»e——> e ——__> e ——__ > e—__- 


Simulation Relation | vA | | vA | 
a b 


Implementation Level #e——»e——> e———__> e —__>- e —__-0 


Figure 2: Example of a simulation. The actions a and 0) are external actions. The remaining 
steps represent internal actions. 


by the live preorder is no longer ensured. Fortunately, since the safety property is independent 
of the liveness of the channel, safety is still guaranteed, i.e., no message is delivered more than 
once. 


6.1 Untimed Proof Techniques 


Section 6.1.1 defines a number of simulation relations taken from [LV93a]. Section 6.1.2 presents 
the Execution Correspondence Theorem. Finally, Sections 6.1.3 and 6.1.4 deal with proving 
the safe and live preorders, respectively. 


6.1.1 Simulation Proof Techniques 


This section presents simulation relations taken from [LV93a]. For the purpose of generality, 
the definitions are stated in terms of automata. All results are also valid for the special case 
of safe I/O automata. 

A simulation relation is a relation between the states of one automaton, called the concrete, 
low-level, or implementation automaton, and the states of another automaton, called the 
abstract, high-level, or specification automaton, such that certain properties hold. The exact 
properties depend on the type of simulation (forward, backward, etc.) but they generally 
consist of two properties. First, the start states of the two automata must be related in a 
certain way, and, second, each step of the implementation automaton must “correspond” to a 
sequence of steps of the specification automaton. 

The second property is depicted in Figure 2. For each step of the implementation au- 
tomaton, i.e., for each concrete step, there must exist a sequence of (abstract) steps of the 
specification automaton between states related—by the simulation relation—to the pre- and 
post-state of the considered concrete step, such that the sequence of abstract steps contains 
exactly the same external actions as the concrete step. How the sequence of abstract steps is 
selected depends on what type of simulation is considered. 

Below forward simulations, refinement mappings, backward simulations, history relations, 
and prophecy relations are defined. The definitions are similar to the definitions given in 
[LV93a] where combinations of forward and backward simulations are also considered. The 
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reader is referred to [LV93a] for details about, e.g., partial completeness of the simulation 
techniques. 

The simulation techniques use invariants (and are thus called weak in [LV93a]) of the 
implementation and specification automata to restrict the steps which need to be considered. 
Define an invariant of an automaton to be any set of states of the automaton that is a superset 
of the reachable states of the automaton. Equivalently, an invariant could be defined to be a 
state predicate that is satisfied for all reachable states of the automaton. 

We use the following notational convention: if R is a relation over 5, x S_ and s, € $4, 
then R[s,] denotes the set {52 € 5» | (51,52) € R}. 


Definition 6.1 (Forward simulation) 


Let A and B be automata with the same external actions and with invariants J, and Jp, 
respectively. A forward simulation from A to B, with respect to [4 and Jp, is a relation f over 
states(A) x states(B) that satisfies: 


1. If s € start(A) then f[s]/ start(B) # 0. 


2. If (s,a,s’) € steps(A), s,s’ € Iy, and u € f[s]N Ip, then there exists an a € frag"(B) 
with fstate(a) = u, Istate(a) € f[s'], and trace(a) = trace(a). 


Write A <p B if there exists a forward simulation from A to B with respect to some invariants 
I, and Ig. If f is a forward simulation from A to B with respect to some invariants J, and 
Ip, write A <p B via f. | 


A refinement mapping is a special case of a forward simulation where the relation is a function. 
Because of its practical importance (cf. [AL91a]) an explicit definition is given. 


Definition 6.2 (Refinement mapping) 


Let A and B be automata with the same external actions and with invariants J, and Jp, 
respectively. A refinement mapping from A to B, with respect to J, and Jz, is a function r 
from states(A) to states( B) that satisfies: 


1. If s € start(A) then r(s) € start(B). 
2. If (s,a,s’) € steps(A), s,s’ € I4, and r(s) € Ip, then there exists an a € frag’(B) with 
fstate(a) = r(s), Istate(a) = r(s’), and trace(a) = trace(a). 


Write A <p B if there exists a refinement mapping from A to B with respect to some invariants 
I, and Ig. If r is a refinement mapping from A to B with respect to some invariants [4 and 
Ip, write A <p Bviar. | 


In a forward simulation there has to be a sequence of abstract steps starting from any of the 
abstract states related to the concrete pre-state (restricted to the invariant) and ending in 
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some state related to the concrete post-state. The word “forward” thus refers to the fact that 
the abstract sequence of steps is constructed from any possible pre-state in a forward direction 
toward the set of possible post-states. 

In a backward simulation, on the other hand, there has to be a sequence of abstract steps 
ending in any state related to the concrete post-state (restricted to the invariant) and starting 
in some state related to the concrete pre-state. In other words, the sequence of abstract steps 
is constructed given a post-state rather than a pre-state as in the forward simulation. Thus, 
in a backward simulation the steps are constructed in a backward direction. 

We need the following definition of image-finiteness for the definition of a backwards sim- 
ulation. A relation R over 5S, x S» is image-finite if for each 5, € $,, R[s,] is a finite set. 


Definition 6.3 (Backward simulation) 


Let A and B be automata with the same external actions and with invariants J, and Jp, 
respectively. A backward simulation from A to B, with respect to J, and Jp, is a relation 6 
over states( A) x states(B) that satisfies: 


1. If s € Ly then b[s]N Ip ZO. 
2. If s € start(A) then b[s] A Ip C start(B). 


3. If (s,a,s’) € steps(A), s,s’ € I4, and w’ € b[s']N Ip, then there exists an a € frag"(B) 
with Istate(a) = wu’, fstate(a) € b[s] MN Ip, and trace(a) = trace(a). 


Write A <p, PB if there exists a backward simulation from A to B with respect to some invariants 
I, and Ig. Furthermore, if the backward simulation is image-finite, write A <;5 B. If bisa 
backward simulation from A to B with respect to some invariants J, and Ip, write A <p B 
(or A <;p B when 6 is image-finite) via b. | 


In [LV93a] abstract notions of history variables [OG76] and prophecy variables [|AL91a] are 
given in terms of history relations and prophecy relations. 


Definition 6.4 (History relation) 


Let A and B be automata with the same external actions and with invariants J, and Jp, 
respectively. A relation h over states( A) x states(B) is a history relation from A to B, with 
respect to J, and Jz, if A is a forward simulation from A to B with respect to J, and Jp, and 
h-' is a refinement mapping from B to A, with respect to Ig and I,. 


Write A <y B if there exists a history relation from A to B with respect to some invariants 
I, and Ig. If h is a history relation from A to B with respect to some invariants J, and Jp, 
write A <y B via h. | 


Definition 6.5 (Prophecy relation) 
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Let A and B be automata with the same external actions and with invariants J, and Jp, 
respectively. A relation p over states(A) x states(B) is a prophecy relation from A to B, with 
respect to J, and Jp, if p is a backward simulation from A to B with respect to J, and Jp, 
and p~' is a refinement mapping from B to A, with respect to I, and Ig. 


Write A <p B if there exists a prophecy relation from A to B with respect to some invariants 
I, and Ig. Furthermore, if the prophecy relation is image-finite, write A <;p B. If pisa 
prophecy relation from A to B with respect to some invariants [4 and Ip, write A <p B (or 
A <;p B when p is image-finite) via p. | 


6.1.2 Execution Correspondence 


This subsection introduces and proves the Execution Correspondence Theorem (ECT). The 
ECT states that if any of the simulations defined in the previous section has been proven 
from an implementation automaton to a specification automaton, then for any execution of 
the implementation automaton, there is a “corresponding” execution of the specification au- 
tomaton. In order to formalize this notion of correspondence, the notions of R-relation and 
index mapping are introduced. 


Definition 6.6 (R-relation and index mappings) 


Let A and B be automata with the same external actions and let R be a relation over 
states(A) x states(B). Furthermore, let a and a’ be executions of A and B, respectively: 


a 


a’ 


5941514959 °° 
Ub Uy boty +++ 


Say that a and a’ are R-related, written (a,a’) € R, if there exists a total, nondecreasing 
mapping m: {0,1,...,Ja|} > {0,1,...,]a’]} such that 


1. m(0) = 0, 
2. (;,Um¢i)) € KR for all 0 <2 < Jal, 
3. trace(Om(s—1)41°** Omay) = trace(a;) for all 0 < a < lal, and 
A. for all 7, 0 <7 < |a’|, there exists an 7,0 <2 < Jal, such that m(2) > j. 
The mapping m is referred to as an index mapping from a to a’ with respect to R. 


Write (A, B) € R if for every execution a of A, there exists an execution a’ of B such that 
(a,a’)e R. = 


Thus, an index mapping maps indices of states in the concrete execution to indices of states in 
the abstract execution. Effectively, an index mapping maps concrete states to corresponding 
abstract states in such a way that the start states correspond (Condition 1), corresponding 
states are related by R (Condition 2), and the external actions between two consecutive pairs 
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of corresponding states are the same at the concrete and the abstract level (Condition 3). 
Condition 4 ensures that the abstract execution (a’) is not “too long”, i.e., a’ must not extend 
beyond the last state of a’ corresponding to some state in a (if such a state exists). Note, that 
if @ is finite, then a’ must also be finite. However, even if a is infinite, a’ can be finite if the 
index mapping is constant for indices above some bound. 


In order to prove the ECT, two auxiliary lemmas are needed. The first, Lemma 6.7, deals with 
forward simulations; the second, Lemma 6.10, deals with backward simulations. 


Lemma 6.7 


Let A and B be automata with the same external actions and assume A <p B via f. Fur- 
thermore, let a be an arbitrary execution of A. Then there exists a collection (a,,M;)o<i<|a| of 
finite executions of B and mappings such that 


1. m; is an index mapping from al; to ai with respect to f, for all 0 <i < lal, and 


2, a_, < ab and my_, = m; [ {0,...,¢- 1}, for all 0 <2 < Jal. 


Proof. Let @ = 894,8,;4@252--- and let [4 and Jp be invariants of A and B, respectively, such 
that f is a forward simulation from A to B with respect to [4 and Ig. Construct a} and m; 
inductively. 

Since sy € start(A), Condition 1 of Definition 6.1 of a forward simulation gives the existence 
of a state uo € start(B) such that (s9,wo) € f. Let aj = uo and let mo be the mapping that 
maps 0 to 0. Then clearly mp is an index mapping from alo to a4 with respect to f. 

Now assume m;_, (for 0 < 7 < |a|) is an index mapping from a|;_; to ai_, with respect to f. 
Let u = Istate(aj_,). Then, by definition of m;_1, m;-1(i— 1) = |a{_,| and (s;_1,u) € f. Since 
(s;1, @;, 8;) € steps(A), and s;_1, s;, and w are are reachable (by definition since they occur 
in an execution) and therefore satisfy their respective invariants, Condition 2 of Definition 6.1 
(Forward simulation) gives the existence of a finite execution fragment a” of B which starts 
in wu and ends in a state uw’ with (s;,u’) € f, such that trace(a”) = trace(a;). Now define 
a, = at_,~ a” and define m; to be the mapping such that m;(j) = m;_1(J) for allO < 7 <i-1 
and m,(i) = |a‘|. Then, m, is trivially an index mapping from al; to aj with respect to f, and 
Part 2 of the lemma holds by construction. | 


In order to state an analogous lemma for backward simulations, the notion of induced digraph 
is introduced along with some lemmas giving properties of the induced digraph. 


Definition 6.8 (Induced digraph) 


Let A and B be automata with the same external actions and assume A <;, B via 6 with 
respect to some invariants J, and Jp. For any execution @ = 590)5,@28)--- of A, let the 
digraph induced by a, b, and Ip be the digraph G constructed as follows: 


e The nodes of G are the pairs (u,?) where 0 <2 < Ja| and wu € 6[5;] N Ip. 
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e There is an edge from (u, 7) to (w’, 2’) exactly if ’ = 7+1 and there exists a finite execution 


fragment a’ of B such that fstate(a’) = u, Istate(a’) = u’, and trace(a’) = trace(a;41). I 


Lemma 6.9 


Let A and B be automata with the same external actions and assume A <;g B via b with 
respect to some I, and Ip. Furthermore, let a be any execution of A. Then the digraph G 
induced by a, b, and Ip satisfies: 


1 


2 
3 
4 
5 


For each 0 <i < lal, there are nodes of the form (u,i). 
Exactly all nodes of the form (u,0) are roots. 

G has finitely many roots. 

Each node of G has finite outdegree. 


Each node of G is reachable from some root of G. 


Proof. Let a@ = 89@181d982°°°. 


1. 


Since each state s; in a is reachable (by definition) and thus belongs to 4, Condition 1 of 
Definition 6.3 (Backward simulation) gives us that b[s;]|0 Ig 4 0. Thus, by Definition 6.8, 
G has nodes of the form (uw, ?). 


. Any node (u,0) is a root in G. Consider any node (u,?) with 7 > 0. Then since wu € 


b[s;] A Ie, 5:1, 5; € I4, and (s;_1,4;,5;) € steps(A), Definition 6.3 implies the existence 
of a finite execution fragment a’ of B with Istate(a) = u, trace(a’) = trace(a;), and 
fstate(a) € b[s;_,] Ig. Then by Definition 6.8 there is an edge in G from (fstate(a), 7-1) 
to (u,t). Thus, (u,?) is not a root in G. 


. Since 6 is image-finite, the set b[s9]M J, is finite and the result follows. 


. From any node (u,?), there can only be edges to nodes of the form (w’,7 +1). Again, 


since b is image-finite, there are only finitely many such nodes. 


. Any node of the form (wu, 0) is reachable. Assume all nodes of the form (u, 7) are reachable 


(for some 0 < 7 < Jal). By an argument similar to Point 2 above, it is seen that to any 
node of the form (w’,7 + 1), there is an edge from a node of the form (w,7). Thus, any 
node of the form (u’,i+ 1) is reachable. By induction all nodes of G are reachable. ™ 


Lemma 6.10 


Let A and B be automata with the same external actions and assume A <;p B via b. Fur- 
thermore, let a be an arbitrary execution of A. Then there exists a collection (a4, Mm; )o<i<|o| of 
finite executions of B and mappings such that 


1. 


m,; is an index mapping from al; to at with respect to b, for all 0 <i< jal, and 
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2, a_, < ab and my_, = m; [ {0,...,¢- 1}, for all 0 <2 < Jal. 


Proof. Let a@ = 59415,@28,--- and let J, and Ig be invariants of A and B, respectively, 
such that 6 is an image-finite backward simulation from A to B with respect to [4 and Ip. 
Furthermore, let G be the digraph induced by a, 6, and Ig. If a is finite, fix p to be any path 
(t9,0)(t1, 1) -++(un, 2), where n = |a|. Such a path exists by Condition 5 of Lemma 6.9. If a 
is infinite, then G is infinite and Lemmas 6.9 and 2.1 (K6nig’s Lemma) imply the existence of 
an infinite path in G. Fix p = (uo, 0)(t1, 1)--- to be any such path. Now construct a and m; 
inductively. At the same time prove that Istate(a‘) = u;. 

Since so € start(A) and wo € 6[so] AN Ig, Condition 2 of Definition 6.3 of a backward 
simulation implies that wo € start(B). Let aj = uo and let mo be the mapping that maps 0 to 
0. Then clearly mo is an index mapping from al, to aj with respect to 6, and Istate(ajy) = uo. 

Now assume m,_, (for 0 < 7 < Ja|) is an index mapping from a|,;_; to aj_, with respect to 
b and assume that Istate(a{_,) = uj_1. Since there is an edge in G from (u;_1,2— 1) to (a, 2), 
there exists, by Definition 6.8, a finite execution fragment a” of B such that fstate(a”) = uj_1, 
Istate(a’’) = u;, and trace(a”’) = trace(a;). Now define ai = ai_,~ a” and define m; to be the 
mapping such that m,(j) = mj_i(j) for all 0 < 7 < i-—1 and m,(%) = |a}|. Then, trivially 
m,; is an index mapping from al; to a} with respect to b, and Point 2 of the lemma holds by 
construction. Also, Istate(ai) = u; as required. 

If a is finite, then the lemma holds by construction; if @ is infinite, then the lemma holds 
by induction. | 


Finally, the Execution Correspondence Theorem can be stated and proven. The theorem states 
that if a relation S$ is a forward simulation, refinement mapping, image-finite backward simu- 
lation, history relation, or image-finite prophecy relation from A to B, then for any execution 
of A, there exists an $-related execution of B. 


Theorem 6.11 (Execution Correspondence Theorem) 


Let A and B be automata with the same external actions. Assume for X € {F,R,iB, H,iP} 
that A<x B via S. Then (A,B) ES. 


Proof. One must show that for all a € exec(A) there exists an a’ € exec(B) such that 
(a, a’) € S. Consider cases. 
1. A<p B via S. 


Let @ = 894114252 -+-+ be an arbitrary execution of A, and let (a/,m;)o<i<ja, be a collec- 
tion of finite executions of B and mappings as defined in Lemma 6.7. 


First assume a is finite. Then a = al), and according to Lemma 6.7 mj, is an index 
mapping from a|j.; to Qj). That suffices since a), = a’ by Condition 4 of Definition 6.6 


Now, assume a is infinite. Then let m be the unique mapping over the natural numbers 
defined by m(i) = m;(2), and let a’ be the limit of af under the prefix ordering. Thus, 
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a’ is the unique execution of B defined by a’|,,(;, = aj with the restriction that for any 
index j of a’ there exists an 7? such that a’|; < af. 


Now the claim is that m is an index mapping from a to a’ with respect to S$. First 
note that m is total and nondecreasing. The latter is seen by contradiction. Assume 
m is not nondecreasing. Then there exists an ¢ such that m(i) < m(i-— 1), but since 
m(t) = m,(t) and m(i— 1) = mj_i(t— 1) = m,(% — 1) this contradicts the fact that m; is 
an index mapping and thus is nondecreasing. Similarly, it can be seen that the range of 
m is within {0,...,]a’]}. 

Now the four conditions of Definition 6.6 must be checked. Condition 1 holds since mg 
is an index mapping and thus satisfies mo(0) = 0. Assume Condition 2 or 3 does not 
hold. Then there must exist an 7 such that the condition is invalidated. However, this 
contradicts the fact that for any i, m; is an index mapping from al; to a} with respect 
to S. Finally, assume Condition 4 does not hold. Thus, assume the existence of an 
index j in a’ such that for all 2, m(2) < 7. By definition of a’ there exists an i such 
that a’|; < af. Now, Lemma 6.7 gives that m;(2) = ja{| > 7. Thus, m(i) > 7 which 
contradicts the assumption that m(t) < 7. 


2. A<p Bvia S. 
A refinement mapping is a forward simulation, so the result follows from the previous 
case, 

3. A <UB B via S. 


Same as case 1, by using Lemma 6.10 instead of Lemma 6.7. 


4. A<y B via S. 


By Definition 6.4 S$ is a forward simulation from A to B, so the result follows from case 
1 above. 


5. A <;p B via S. 


By Definition 6.5 S is an image-finite backward simulation from A to B, so the result 
follows from case 3 above. | 


6.1.3. Proving the Safe Preorder 


This subsection proves the soundness of the simulation proof techniques with respect to the 
safe preorder. This is a well-known result, see, e.g., [LV93a], however, instead of proving the 
result directly as in [LV93a], the ECT is used. We start with some preliminary definitions and 
technical lemmas needed for the proof. 

Define the ith step of a, for all 0 < i < lal, as step(a,i) = ;_,\a|; = (5;-1,4;, s;). Also, let 
m be a total, nondecreasing mapping m: {0,1,...,N}— {0,1,...,]a]}, where N € N,U {oo}. 
Then, define the ith m-step of a, for all 0 <i < N, as step,,(a,i) = m(i—1)||m(a) 
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Lemma 6.12 


Let a be an execution fragment. 


1. Then, for all0 <i<j < al, 
j|a|; = step(a,i+ 1)~ step(a,i+2)~---% step(a,7) 


2. Let m be a total, nondecreasing mapping m: {0,1,...,N}— {0,1,...,]a]}, where N € 
No U {oo}. Then, for all O<i<j <N, 


m(i) Omi) = Step,,(a@,i+ 1) ~ step,,(a,i+ 2) 7 +++ step,,(a,7) 
Proof. Trivial by explicit construction. | 


Lemma 6.13 


Let a be an execution fragment. 


1. Then, for all 0 <i < |al, 


Ja= step(a,t+1)~ step(a,i+2)~--- step(a,la|) if a is finite 
"| step(a,i +1) step(a,i+2)7--- otherwise 


2. Let m be a total, nondecreasing mapping m: {0,1,...,N}— {0,1,...,]a]}, where N € 
No U {oo}, such that for all 0 < 7 < |al there exists ani € dom(m) with m(t) > 7. Then, 
for all0O<i<N, 


sla = step,,(@,7+ 1)7~ step,,(a,i+2)7---7 step, (a,N) if N is finite 
mol ~ step, (a,i+1)> step,,(a,i+2)>--- otherwise 


Proof. The lemma follows from Lemma 6.12 | 


The following lemma is used to show that any two related executions have the same trace. 


Lemma 6.14 


Let A and B be automata with the same external actions and let R be a relation over 
states(A) x states(B). Assume that (a,a’) € R and let m be any index mapping from a 
to a’ with respect to R. Then, for all 0 <i < |al, trace(;|a) = trace(»(;)|0’). 


Proof. Let a = 894)5,4959--- and a’ = wuobju,bou2---. If ¢ = Jal (in the case where a is 
finite), j.|]@ = s|,; and Condition 4 of Definition 6.6 gives p(jq))|@’ = Umcja|)- Thus, obviously 
trace(;|@) = trace(,,(;)|a’) (the empty list). If0 <7 < |a|, then from Lemma 6.13 


step(a,i+1)~ step(a,i+2)7--- 
mila’ = step,,(a’,i+ 1) step,,(a’,i+2)7--- 


ila 
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where the concatenations are finite (and end in step(a,|a|) and step,,(a’,|a|), respectively) if 
and only if a is finite. 

Now use the obvious fact that restricting an execution to a set of actions, distributes over 
concatenation. This gives us: 


trace(;|a) = (;{a) f eat(A) 
= (step(a,i+ 1) f ert(A))* (step(a,i+ 2) f ext(A))° 
= trace(step(a,i+1))* trace(step(a,i+2))*--- 
trace (mi)|a’) (maylo’) f ext(B) 
(step,,(a’,i+ 1) f ext(B))* (step,,(a’,i + 2) f ext(B))*--- 
= trace(step,,(a’,i+1))* trace(step,,(a’,i+2))>--: 


Now, from the definitions of step and step,, and Condition 3 of Definition 6.6 


trace( step(a,j)) = trace(step,,(a’,7)) 


for all 0 < 7 < |al. So, if |a| F ov, trace(;|a) = trace(,,(;)|a’) by construction. If |a| = o, 
assume that trace(;|a) # trace(,,;)|a"). Then there must be a finite prefix 9 of trace(;|a) such 
that 3 £ trace(,,;)|a’). Also, there must exist a finite number j > 7 such that 


2B < B, = trace(step(a,i+1))*---* trace(step(a,7)) 


Since 3 £ trace(,,(;)|a’), it must also be the case that 3, £ trace(,,(;)|a’). Now, let 


B' = trace(step,,(a’,i+1))*---* trace(step,,(a’,7)) 
Then, 9’ < trace(,,¢;)|0") and by distributivity of restriction over concatenation 3, = 3’. Thus 
By < trace(n (:|e"), which contradicts the assumption. 5o, also if Ja] = oo conclude that 
trace(;|@) = trace(n(:)|0’). = 


Lemma 6.15 


Tet A and B be automata with the same external actions and let R be a relation over 
states(A) x states(B). If (a,a’) € R, then trace(a) = trace(a’), 


Proof. Immediate from Lemma 6.14 since for any execution a,, 9/a, = a,, and any index 
mapping maps 0 to 0 (cf. Condition 1 of Definition 6.6). a 


The soundness of the simulation relations with respect to trace inclusion can now be shown. 


Lemma 6.16 (Soundness of simulations w.r.t. trace inclusion) 


Let A and B be automata with the same external actions and assume for X € {F,R,iB, H,iP} 
that A<x B via S. Then traces( A) C traces( B). 


88 


Proof. Let @ € traces(A) be an arbitrary trace of A and let a be an execution of A such 
that trace(a) = 3. Then, by Theorem 6.11 (ECT), there exists an execution a’ of B such that 
(a,a’) € S. By Lemma 6.15, trace(a’) = trace(a) = 3. Thus, 6 € traces(B) as required. 


Finally, it follows immediately from the fact that the simulation relations are sound with respect 
to trace inclusion (Lemma 6.16) and the definition of the safe preorder (Definition 3.30) that 
the simulation relations are sound with respect to the safe preorder 


Theorem 6.17 (Soundness of simulations w.r.t. the safe preorder) 


Let (A, L) and (B,M) be live I/O automata with esig(/ A) = esig(B), and assume for some 
X ¢{F.R,iB, H,iP} that A< x B. Then (A,L) Cs (B,M). 7 


6.1.4 Proving the Live Preorder 


A proof strategy for proving that one live I/O automaton implements another live I/O au- 
tomaton via the live preorder is now described. First consider the following lemma. 


Lemma 6.18 


Suppose (A,L) and (B,M) are live I/O automata with esig( A) = esig(B), and assume for 
some X € {F,R,iB, H,iB} that A<x B via S. If 


V(aja)ES:(aeL=a'eM) 
then (A, 2) Cy (B,M). 


Proof. It is enough to show that traces(L) C traces(M). Let 6 € traces(L). By definition of 
trace there is an execution a of L such that trace(a) = 3. By definition of live I/O automaton 
a is an execution of A. From Theorem 6.11 (ECT) there exists an execution a’ of B such 
that (a,a’) € S. From the hypothesis of this lemma a’ is an execution of M. Moreover, from 
Lemma 6.15 we have trace(a) = trace(a’). Thus, 3 € traces(M). = 


Based on Lemma 6.18, the following proof strategy proves that a live I/O automaton (A, L) is 
a correct implementation of another live I/O automaton (B, M): 


1. Prove a simulation $ from A to B with respect to some invariants. 

2. Assume a and a’ are arbitrary executions of A and B, respectively, and assume that a 
is live (i.e., a € L). 
Prove that a’ is also live (i.e., a’ € M). 


This will usually be a proof by contradiction. That is, assume that a’ is not live and 
show that this leads to a contradiction. This strategy gives a nice way of splitting the 
proof into cases since being live usually means satisfying a conjunction of condition such 
that not being live means not satisfying one (at least) of these conditions. Thus, each of 
the conditions can be considered separately. 
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The reader is referred to [SLL93, Lyn93] for extensive applications of the proof techniques. 


6.2 Timed Proof Techniques 


Since liveness conditions in the timed model are expressed in terms of timed executions, the 
obvious generalization of the approach taken in the untimed model would be to develop simu- 
lation techniques that give a correspondence between the timed executions of timed automata. 
This suggests that the simulation techniques in the timed model should for every “timed step” 
(w,a,w’) of a low-level timed automaton, where w and «” are trajectories, find a corresponding 
timed execution fragment of the high-level timed automaton. On the other hand, the fact that 
the transition relation of a timed automaton determines ordinary steps of the form (s,a,s’), 
rather than steps of timed executions of the form (w,a,w”), suggests simulation techniques 
that for each ordinary step, (s,a,s’), of the low-level timed automaton find a corresponding 
(ordinary) execution fragment of the high-level timed automaton. We pursue this latter type 
of simulation. 

In particular, this section shows that the existence of such a simulation, based on ordinary 
steps, between two timed automata implies all four of the timed safe preorders of the timed 
model (cf. Definition 4.36). Also, (timed) liveness conditions can be characterized by sets of 
ordinary (sampled) executions some of which are minimal. These characterizations by sets 
of ordinary (sampled) executions form the basis of a lemma similar to Lemma 6.18 on which 
proofs of the timed live preorder can be based. 

The structure of this section parallel that of the untimed model. First a number of (timed) 
simulation techniques are defined. Then, the execution correspondence theorem for the timed 
model is proven, and finally the use of the timed simulation techniques to prove the timed safe 
and live preorders is discussed. 


6.2.1 Timed Simulation Proof Techniques 


The timed simulations presented here are similar to the ones defined in [LV91] except for our 
use of invariants. Recall, that an invariant is any set of states of an automaton that is a 
superset of the reachable states (reachability coincides with t-reachability). 

There are only two minor differences between the simulation relations presented here and 
the simulation relations from the untimed model. First, states related by a simulation relation 
must have the same time. Second, since the trace operator on execution fragments does not 
adequately abstract from time-passage actions, the simulation techniques below use a notion 
of visible trace. For any timed automaton A and any execution fragment a of A, define the 
visible trace of a, written vis-trace 4(a), or just vis-trace(a) when A is clear from context, to 
be a [ vis(A). Similarly, given any sequence of actions (3, define the visible trace of 3, written 
vis-trace 4(3), or just vis-trace(3) if A is clear from context, to be @ [ vis( A). 


Definition 6.19 (Timed forward simulation) 


Let A and B be timed automata with the same visible actions and with invariants J, and Ip, 
respectively. A timed forward simulation from A to B, with respect to J, and Jp, is a relation 


90 


f over states( A) x states(B) that satisfies: 
1. Ifw € f[s] then wu.now = s.now. 
2. If s € start(A) then f[s]M start(B) 4 0. 
3. If (s,a,s’) € steps(A), s,s’ € Iy, and u € f[s]N Ip, then there exists an a € frag"(B) 


with fstate(a) = u, Istate(a) € f[s’], and vis-trace(a) = vis-trace(a). 


Write A <,p B if there exists a timed forward simulation from A to B with respect to some 
invariants J, and J/g. If f is a timed forward simulation from A to B with respect to some 
invariants I, and Jp, write A <,p B via f. | 


Definition 6.20 (Timed refinement mapping) 


Let A and B be timed automata with the same visible actions and with invariants J, and 
Tp, respectively. A timed refinement mapping from A to B, with respect to J, and Ip, isa 
function r from states(A) to states(B) that satisfies: 


1. r(s).now = s.now. 
2. If s € start(A) then r(s) € start(B). 
3. If (s,a, 8’) € steps(A), s,s’ € I4, and r(s) € Ip, then there exists an a € frag’(B) with 


fstate(a) = r(s), lstate(a) = r(s’), and vis-trace(a) = vis-trace(a). 


Write A <:p B if there exists a timed refinement mapping from A to B with respect to some 
invariants J, and Ig. If r is a timed refinement mapping from A to B with respect to some 
invariants I, and Ig, write A <;p B via r. | 


Definition 6.21 (Timed backward simulation) 


Let A and B be timed automata with the same visible actions and with invariants J, and 
Tp, respectively. A timed backward simulation from A to B, with respect to [4 and Ip, isa 
relation 6 over states( A) x states(.B) that satisfies: 


1. If uw € b[s] then wu.now = s.now. 
2. If s € Ly then bls] Ip ZO. 
3. If s € start(A) then b[s] A Ip C start(B). 


4. If (s,a,s') € steps(A), s,s’ € I4, and w’ € b[s’] NM Ip, then there exists an a € frag"(B) 
with Istate(a) = wu’, fstate(a) € b[s] ON Ip, and vis-trace(a) = vis-trace(a). 
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Write A <,, B if there exists a timed backward simulation from A to B with respect to some 
invariants [4 and J/g. If furthermore the timed backward simulation is image-finite, write 
A <p B. If 6 is a timed backward simulation from A to B with respect to some invariants 
I, and Ig, write A <p B (or A <izp B when 6b is image-finite) via 0. | 


Definition 6.22 (Timed history relation) 


Let A and B be timed automata with the same visible actions and with invariants J, and Ip, 
respectively. A relation h over states(A) x states(B) is a timed history relation from A to B, 
with respect to J, and Jp, if h is a timed forward simulation from A to B with respect to Iy 
and Ig, and h7' is a timed refinement mapping from B to A, with respect to Ig and I,. 


Write A <;yg PB if there exists a timed history relation from A to B with respect to some 
invariants J, and Jp. If A is a timed history relation from A to B with respect to some 
invariants I, and Jp, write A <;y B via h. | 


Definition 6.23 (Timed prophecy relation) 


Let A and B be timed automata with the same visible actions and with invariants J, and Ip, 
respectively. A relation p over states(A) x states(B) is a timed prophecy relation from A to B, 
with respect to J, and Jp, if pis a timed backward simulation from A to B with respect to Iy 
and Iz, and p~' is a timed refinement mapping from B to A, with respect to Ig and I,. 


Write A <,p B if there exists a timed prophecy relation from A to B with respect to some 
invariants I, and Ig. If furthermore the timed prophecy relation is image-finite, write A <;,p 
B. If pis a prophecy relation from A to B with respect to some invariants J, and Jpg, write 
A <ip B (or A <itp B when p is image-finite) via p. | 


6.2.2. Execution Correspondence 


As in the untimed model, the simulation relations imply a certain correspondence between the 
ordinary executions of the involved timed automata. The following definition formalizes this 
correspondence, called timed R-relation, and defines a notion of timed index mapping. The 
definition is similar to Definition 6.6 in the untimed model; the only differences are that the R 
relation must relate states with the same time and that the definition deals with visible traces 
as opposed to traces, i.e., the same differences as in the simulation relations. 


Definition 6.24 (Timed f-relation and timed index mappings) 


Let A and B be timed automata with the same external actions and let R be a relation over 
states(A) x states(B) such that if (s,u) € R then s.now = u.now. Furthermore, let a and a’ 
be (ordinary) executions of A and B, respectively. 


a 


a’ 


5941514959 °° 
Ub Uy boty +++ 
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Let a and a’ be timed R-related, written (a,a’) €, R, if there exists a total, nondecreasing 
mapping m: {0,1,...,]a]} — {0,1,...,]a’]} such that 


1. m(0) = 0, 

2. (;,Um¢i)) € KR for all 0 <2 < Jal, 

3. vis-trace(bmg—1)41°+* Oma) = vts-trace(a;) for all 0 <i < jal, and 

A. for all 7,0 <7 < |a’|, there exists an 7,0 <7 < Jal, such that m(2) > j. 
The mapping m is referred to as a timed index mapping from a to a’ with respect to R. 
Write (A, B) €, R if for every execution a of A, there exists an execution a’ of B such that 


(a,a’) €; R. = 


The following lemma shows that timed R-related executions have the same limit time and that 
there is a correspondence with respect to finiteness, admissibility, and Zenoness. 


Lemma 6.25 


Let A and B be timed automata with the same external actions and let R be a relation over 
states(A) x states(B) such that if (s,u) € R then s.now = u.now. Furthermore, let a and a! 
be executions of A and B, respectively. Then, if (a,a’) &, R 


1. Itime(a) = Itime(a’), 
2. if a is finite then a’ is finite, 
3. a is admissible iff a’ is admissible, and 


4. if al is Zeno then a is Zeno. 


Proof. Let a = s9@)5,4252--+ and a! = ugb,u,beu, +--+, and assume (a,a’) €, R. Let m be 
a timed index mapping from a to a with respect to R. The four parts of the lemma are 
considered separately. 


1. For any state s in a (and thus any time in a) there exists, by Condition 2 of Defini- 
tion 6.24, a state u in a’ with (s,u) € R, and thus u.now = s.now. This proves that 
ltime(a) < ltime(a’). Similarly Condition 4 of Definition 6.24 implies that ltime(a) > 
ltime(a’). Thus, ltime(a) = Itime(a’). 


2. Assume a is finite. Now, assume that a’ is not finite. Let m’ = m(la|). Then, since 
a’ is not finite and thus infinite, the state u,.:4, exists in a’. Then Condition 4 of 
Definition 6.24 implies the existence of an index 0 <7 < Ja| such that m(?) > m/+1> m’, 
but this contradicts the fact that m’ = m(|a]), and m is nondecreasing. Thus, a’ is finite. 


3. This result follows directly from Part 1 of this lemma. 
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4, Assume a’ is Zeno. Then Part 2 of this lemma implies that a is not finite. Furthermore, 
Part 3 of this lemma implies that a is not admissible. Thus, a is Zeno. 


This concludes the proof. | 


Note that in Part 2 of Lemma 6.25 the converse is not true: even though a’ is finite, a could 
be Zeno by having a suffix containing only internal actions and having m be constant for all 
indices in that suffix. This argument shows that the converse of Part 4 is also not true in 
general. 

Now the Execution Correspondence Theorem can be stated for the timed model. 


Theorem 6.26 (Execution Correspondence Theorem) 


Let A and B be timed automata with the same visible actions. Assume for X © {tF,tR,itB, 
tH,itP} that A <x B via S. Then (A,B) & S. 


Proof. Similar to the ECT proof in the untimed model (Theorem 6.11). a 


6.2.3. Proving the Timed Safe Preorders 


Due to the fact that timed R-related executions have the same time in related states and have 
a correspondence between the their visible traces, it is possible to prove that timed R-related 
executions have the same timed traces. 


Lemma 6.27 


Let A and B be timed automata with the same external actions and let R be a relation over 
states(A) x states(B) such that if (s,u) € R then s.now = u.now. Then, if (a,a’) & R, then 
t-trace(a) = t-trace(a’). 


Proof. Similar to the proofs of Lemmas 6.14 and 6.15. | 
Soundness of the timed simulations with respect to timed trace inclusion now follows. 


Lemma 6.28 (Soundness of timed simulations w.r.t. timed trace inclusion) 


Let A and B be timed automata with the same external actions. Assume for X € {tF, tR, itB, 
tH, itP} that A<x B. Then 


1, t-traces( A) C t-traces( B) 
2. t-traces*(A) C t-traces*(B) 
3. t-traces®(A) C t-traces*(B) 


Proof. Consider the three parts separately. 
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1. Suppose y € ¢-traces(A). Then by definition there exists a timed execution © € t-erec( A) 
such that t-trace(i) = y. Now, the sampling results of Lemmas 4.4 and 4.7 imply 
the existence of an execution a € exec(A) with t-trace(a) = t-trace(X). Then ECT 
(Theorem 6.26) and Lemma 6.27 imply the existence of an execution a’ € exec(B) such 
that t-trace(a’) = t-trace(a). Finally, the sampling results of Lemmas 4.3 and 4.7 give 
the existence of a timed execution Xi’ € t-exec(B) with t-trace(&’) = t-trace(a’). 

Thus, t-trace(&') = t-trace(a’) = t-trace(a) = t-trace(“) = y. Therefore y € t-traces( B). 
That suffices. 


2. Similar to Part 1. Also use Lemma 6.25 Part 2 and Lemma 4.6 Part 1 to prove the 
following: if “ is finite then a, a’, and ™’ are also finite. Then the result follows. 


3. Similar to Part 2. Use Lemma 6.25 Part 3 and Lemma 4.6 Part 2. | 


Based on this lemma, the soundness of the timed simulations with respect to the timed safe 
preorders can be shown. 


Theorem 6.29 (Soundness of timed simulations w.r.t. the timed safe preorders) 


Let (A,L) and (B,M) be live timed I/O automata with vsig( A) = vsig(B), and assume for 
some X € {tF,tR,itB,tH,itP} that A <x B. Then 


1. ACy B 
2, ACY, B 
3. ACS B 
f. ACR B 


Proof. Parts 1-3 follow directly from Lemma 6.28 Parts 1-3 and the definition of the timed 
safe preorders (Definition 4.36). Part 4 follows, by Definition 4.36, from Parts 2 and 3. | 


6.2.4 Proving the Timed Live Preorder 


It is possible to characterize timed liveness conditions by a set of ordinary executions such that 
a lemma like Lemma 6.18 (based on the timed simulation techniques above) can be stated. 
Start by defining such (minimal) sampling characterizations of liveness conditions. 


Definition 6.30 ((Minimal) sampling characterizations) 


Let (A, L) be a live timed I/O automaton. A set Ly C exec(A) is a sampling characterization 
of Lif L = {X € t-exec™(A) | for all a € exec(A) where a samples U, a € Lo}. 


Furthermore, Lo is said to be minimal if it equals the set of all samplings of all timed executions 
in L. | 
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For any live timed I/O automaton (A,L), £ has a minimal sampling characterization Lo, 
namely the one containing all samplings of the timed executions in L. 


Lemma 6.31 


Let (A, L) and (B, M) be live timed I/O automata with vsig( A) = vsig( B). Assume that Lo and 
Mo are sampling characterizations of L and M, respectively, and assume that My is minimal. 
Assume for some X € {tF,tR,itB,tH,itP} that A<x B via S. If 


V (a,a’) €, S:(a € Lo = a’ € Mo) 


then (A, 0) Cy: (B,M). 


Proof. Let y € t-trace(L) be an arbitrary timed trace of L and let % € L with t-trace(X) = 7. 
Based on the sampling result of Lemma 4.4 and the fact that Lo is a sampling characterization 
of L, there exists an execution a € exec(A) such that a samples © and a € Lo. Based on the 
sampling results of Lemmas 4.6 and 4.7, a is admissible and t-trace(a) = y. Then by ECT 
(Theorem 6.26) there exists an a’ € exec(B) such that (a,a’) €, $. Lemmas 6.25 and 6.27 
imply that a’ is admissible and t-trace(a’) = y. By the hypothesis in this lemma, a’ € Mo. 
Then, based on the sampling results of Lemmas 4.3, 4.6, and 4.7, there exists a &’ € t-exec™(B) 
with t-trace(X’) = y. Now, since Mp is a minimal sampling characterization of M,% € M and 
thus y € t-traces(M). By definition of C,; (Definition 4.36) this suffices. = 


Lemma 6.31 can be used to prove the live preorder between two live timed I/O automata in 
a manner similar to the way Lemma 6.18 is used in the untimed model. However, one must 
first find sampling characterizations of the liveness conditions. Furthermore, the sampling 
characterization for the high-level liveness condition must be minimal. In practice the liveness 
condition L of a live timed I/O automaton is often defined as those timed executions that 
have all their samplings in some set of ordinary executions Ly, which, in turn, could be those 
executions that satisfy some formula in a temporal logic. In this case Lo is, by definition, a 
sampling characterization of L. Then, the only remaining proof obligation is to show that the 
sampling characterization of the high-level live timed I/O automaton is minimal. In [SLL93] 
there is an example of the use of Lemma 6.31 


7 Concluding Remarks 


This paper extends I/O automata [LT87, MMT91] to handle general liveness properties in both 
the timed and untimed model, and creates a coordinate framework where timed and untimed 
systems can be analyzed. A key aspect of the models is the notion of environment-freedom, 
which expresses the fact that a live (timed) I/O automaton does not constrain its environment. 
Moreover, the simulation method of [AL91la, LV91, LV93a, LV93b, Jon91] is extended to our 
model, making the results of this paper immediately applicable in practice. A substantial 
verification project using the model appears in [SLL93, LLS93]. In addition to generalizing 


96 


the I/O automaton model [LT87] and its timed version [MMT91], our model generalizes the 
failure free complete trace structures of [Dil88] and the strong I/O feasibility notion of [VL92]. 

People familiar with process algebras might object to our model, arguing that environment- 
freedom is too restrictive since it rules out several systems that might be of interest at a high 
level of abstraction. We recognize this objection and regard the generalization of the model 
as future work. In fact, our model is closer to the classical models of the process algebraic 
community than the models of [AL93, AL91b], and thus may represent a natural starting point 
for possible generalizations. Some promising results come from [Seg93], which shows that there 
is a strong connection between the trace semantics of I/O automata and the MUST preorder of 
the theory of testing [DH84]. 

Another line of research consists of extending the current model to handle systems with 
probabilistic behaviors. The ultimate goal would be a model where probabilistic behaviors, 
timing constraints, safety properties, and liveness properties can be integrated together. 
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